Recover deleted LUKS partition

grub2lukspartition-table

I have(had) the following setup:
Full disk encryption with LUKS and a separately encrypted /home partition.
Made the mistake to delete my /root but caught early enough so only changes to the partition table where made.
Now I'm left with the following:

sudo hexdump -C /dev/nvme0n1 |grep LUKS
3e900000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|

That means that LUKS header is still intact (phew)

Then I create a loop device on that offset

 sudo losetup -o 0x3e900000 -r -f /dev/nvme0n1

and mount it with 

 sudo cryptsetup luksOpen /dev/loop1 luksrecover

so far it works great, things get mounted properly I can see my files and with a few more commands I can get my separate /home back.

However, since I do have an operating system intact I'd like it back.
Only problem as it seems, there is no grub to call the initial Xubuntu LUKS decrypter.

Now, since I see that there is a significant offset in my partitioning, I guess that's where grub used to live

So, what can I do about getting my OS back?
As far as I understand I must somehow mark bytes 0 – $offset as grub and install grub there and the rest as something else.
So I tried grub-install /dev/nvme0n1 and it complained about aufs 

grub-install: error: failed to get canonical path of `aufs'.

then tried the same in a chroot in the LUKS system that was mounted but it that filesystem is read-only and of course it never had grub to begin with.

So what can I do to get grub to sit in the empty space before LUKS and decrypt LUKS on start?

Best Answer

WARNING:

Make an image (backup) of the drive BEFORE you do all this.

Read the documentation (e.g., "man pages") for all commands, and make sure you understand what they do, before using them.

YOU HAVE BEEN WARNED

For future reference, here's the solution:

  1. Find where the LUKS partition starts.  All LUKS partitions have a plaintext header containing the word LUKS. So

    sudo hexdump -C /dev/<the disk>  | grep LUKS

  2. Note where LUKS was.  hexdump should list an offset where it found the start of this header.  Mount the partition as a loopback device starting where the offset you found the LUKS header is

    sudo losetup -o <offset> -r -f /dev/nvme0n1

    For reference, my offset, in Xubuntu with an Intel SSD and GRUB2, was 0x3e900000.

  3. Find out which device it got losetup'd as

    losetup -a

  4. Decrypt & mount

    sudo cryptsetup luksOpen /dev/loop1 luksrecover

    At this point the disk should have been mounted under /media/.  However: your /home should still be encrypted.  It's time to decrypt

  5.  cd /home/<yourusername>

 sudo ecryptfs-recover-private .Private/

    This should produce the following

    INFO: Found [.Private/].
Try to recover this directory? [Y/n]: Y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] Y
INFO: Enter your LOGIN passphrase...
Passphrase: 
Inserted auth tok with sig [8c5d84b9d7f0cc5b] into the user session keyring
INFO: Success!  Private data mounted at [/tmp/ecryptfs.mxsowbiD].

    Plug in an external storage device (e.g., an HDD), save your /home, /opt and whatever else you need. Re-install and replace the /home with your own. Or just move the existing filesystem to a proper partition.

Crisis averted, and it took only a few hours.

Related Question