This morning, my Ubuntu laptop won’t boot up. My immediate reaction was shivers at the back of my neck and then down the shoulders. I don’t understand why it felt that way. It’s like one of those situations when you suddenly discovered you left your wallet, your laptop, or something valuable in a restaurant and your mind started racing trying to figure out how to get back quickly and at the same time thinking what would happen and what would you do if you can’t locateĀ it anymore… And all those thoughts happening in just two or three seconds.
In this case, my laptop won’t boot up, it uses LUKS full disk encryption, I have no idea how to recover it, I haven’t done it before, I don’t know if it can be recovered, and I’ve got tons of important data in there!
Fortunately, those were just a couple of seconds and after that you go back to your sane state and do what most everyone else does – Google your way out. Thanks again to Google, it was easy to research on how to recover an LUKS-encrypted disk.
I missed the old days when recovering a disk from a failed system was as simple as attaching the disk to another system, mounting it, and start accessing your data back. Life has changed. With most of our valuables in digital format nowadays, you need to apply the same security you do with physical valuables – you lock them up with a key. But instead of locking with a door, you lock the data by encrypting it.
Below are the steps to recover a LUKS encrypted disk. There are tons of information like this online but I thought I just need to add another document among hundreds already out there in case one poor soul can only find this one.
Summary:
- Boot the system from a rescue disk or Live CD. If this is not possible, attach the encrypted disk to another Linux system
- Identify the device name of the encrypted disk
- Identify the encrypted partition in the disk
- Unlock the encrypted partition
- If the partition is using logical volumes, identify the volume group(s) used
- If the partition is using logical volumes, enable the volume group
- Mount the logical volume desired. If the partition is not using logical volumes, mount the mapped device directly.
- Unmount and lock the encrypted partition when done
Details:
Step 1. Remove the disk from the bad system and attach it to another Linux machine. If the machine is still running fine but the problem was just the OS being corrupted or something, you can boot from a rescue or Live CD.
Step 2. Once the disk is attached to another system, identify the device name of the disk as to how it got attached. You can view this by viewing /proc/partitions. If you are booting from a rescue disk or Live CD, do the same, but you’ll discover that it is easier to identify the disk since you won’t be confusing it with other disks like when it is attached to another system.
Below is a sample output. In this case the device you need to recover is /dev/sda with partitions sda1, sda2, and sda5.
# cat /proc/partitions
major minor #blocks name
7 0 731040 loop0
8 0 58605120 sda
8 1 248832 sda1
8 2 1 sda2
8 5 58353664 sda5
It’s probably easier to use the fdisk command to get a much clearer view of the layout of the partitions.
# fdisk -l /dev/sda
Disk /dev/sda: 60.0 GB, 60011642880 bytes
255 heads, 63 sectors/track, 7296 cylinders, total 117210240 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00089bcb
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 499711 248832 83 Linux
/dev/sda2 501758 117209087 58353665 5 Extended
/dev/sda5 501760 117209087 58353664 83 Linux
Step 3. Next, find the partition that is encrypted. This is where the actual data resides. Run the cryptsetup command on each partition and find the one that says something like “LUKS header information…”
# cryptsetup -v luksDump /dev/sda1
Device /dev/sda1 is not a valid LUKS device.
Command failed with code 22: Device /dev/sda1 is not a valid LUKS device.
# cryptsetup -v luksDump /dev/sda2
Device /dev/sda2 is not a valid LUKS device.
Command failed with code 22: Device /dev/sda2 is not a valid LUKS device.
# cryptsetup -v luksDump /dev/sda5
LUKS header information for /dev/sda5
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 512
MK digest: 21 84 3e c0 3e 9e 23 1e 34 9b 39 05 8f b9 47 61 89 a6 2a 81
MK salt: fc ac 3d 4f 1e 3d d4 ce 66 6b d3 90 ba f4 79 a8
d9 c9 38 a0 c2 79 bc 47 71 c6 8f 49 23 46 f1 6b
MK iterations: 22500
UUID: 2c8d56ec-749f-4d95-ab39-4ea17edb4c01
Key Slot 0: ENABLED
Iterations: 90067
Salt: e4 25 ae 7c 5d 62 81 5e ea 37 95 0f 59 7b c8 7f
13 4f bc 15 70 4e 82 e1 41 db 1d 4b 65 7a de 5c
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Command successful.
From the sample output above, the partition we need to recover is /dev/sda5.
Step 4. Unlock the encrypted partition using the cryptsetup command. You will need the passphrase of the encrypted disk. I forgot to mention, you need this password to recover the data from the disk. If you don’t know the password or you forgot, then you’re out of luck. Unless you can guess the password or do a brute force password guessing, no current technology or witchcraft on earth can help you unlock the encryption.
That’s the whole idea of encrypting a disk so that in case your laptop got stolen, got lost, or got left at a restaurant, no one but you who knows the password can see your data.
# cryptsetup -v luksOpen /dev/sda5 sda5_crypt
Enter passphrase for /dev/sda5:
Key slot 0 unlocked.
Command successful.
Step 5. After unlocking the device, check if the partition is using LVM (Logical Volume Management). If your data resides in a logical volume, you’d need to identify those volumes so that you’d know what to mount. Run the lvdisplay command to see the volumes. Below is a sample output.
# lvdisplay
--- Logical volume ---
LV Path /dev/ubuntu/root
LV Name root
VG Name ubuntu
LV UUID fy5LpG-HPX7-Spe1-C92m-nzPq-B3IB-eTjCFA
LV Write Access read/write
LV Creation host, time ubuntu, XXXX
LV Status available
# open 0
LV Size 53.61 GiB
Current LE 13724
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:1
--- Logical volume ---
LV Path /dev/ubuntu/swap_1
LV Name swap_1
VG Name ubuntu
LV UUID ZSwRl4-bdV1-kqJ3-V1lG-ndfZ-cdSh-P5X3kp
LV Write Access read/write
LV Creation host, time ubuntu, XXXX
LV Status available
# open 0
LV Size 1.99 GiB
Current LE 509
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:2
Step 6. If the partition has logical volumes, enable the volume group using the vgchange command. From the sample above, the name of the volume group is ubuntu.
# vgchange -a y ubuntu
2 logical volume(s) in volume group "ubuntu" now active
Step 7a. If the partiton is using logical volumes, mount the logical volume desired. Using the sample above, we want to mount /dev/ubuntu/root.
# mkdir /tmp/disk
# mount /dev/ubuntu/root /tmp/disk
Step 7b. If the partition does not have logical volumes, mount the mapped device directly.
# mkdir /tmp/disk
# mount /dev/mapper/sda5_crypt /tmp/disk
That’s it. You can now view your data in /tmp/disk.
Step 8. When you’re done accessing the data, don’t forget to unmount and close (lock) the encrypted partition.
# umount /tmp/disk
# cryptsetup luksClose /dev/mapper/sda5_crypt
