A drive with 2 partitions – the first partition is plain ext4, second one is encrypted LUKS. The partition table has been overwritten. I've found the beginning of the second partition, which I need to recover, thusly:
#hexdump -s 400000m -C /dev/sdc | grep LUKS
61d3dec850 79 c8 81 6d e5 4c 55 4b 53 40 49 aa 29 df de d7 |y..m.LUKS@I.)...|
then:
#losetup -o 0x61d3dec850 -r -f /dev/sdc
#losetup -a
/dev/loop0: [0005]:477209 (/dev/sdc), offset 420166420560
Ok so far, then this problem pops up:
#cryptsetup luksOpen /dev/loop0 luksrecover
Device /dev/loop0 is not a valid LUKS device.
Please advice how to proceed. Is it wrong offset? Should I seek for the magic number 0xEF53 identifying ext4 as adviced here https://unix.stackexchange.com/questions/103919/how-do-i-find-the-offset-of-an-ext4-filesystem ?
Mind you it's a 1TB drive so please I need an advice that does not force to scan the entire drive ( hours and hours) all over again if possible, such as testdisk which seems have no option to start at a specified offset to save time on scanning.
P.S. This was close , but not quite: https://unix.stackexchange.com/questions/177070/lvm-encrypted-partition-without-partition-table
Best Answer
The first obvious problem is you're looking in the wrong place. That's not a LUKS header.
The LUKS partition header starts with the six bytes, defined as
L
,U
,K
,S
, followed by 0xBA, 0xBE. As you can clearly see, two of those six bytes aren't present there.What you're looking for is pretty obvious:
You'll need to look elsewhere on the disk. Perhaps you need to back up a bit? Or forward. Or just let testdisk do its thing; if there's a valid LUKS header on the disk anywhere it should find it eventually.