A drive with 2 partitions – the first partition is plain ext4, second one is encrypted LUKS. The partition table has been overwritten. I've found the beginning of the second partition, which I need to recover, thusly:
#hexdump -s 400000m -C /dev/sdc | grep LUKS
61d3dec850 79 c8 81 6d e5 4c 55 4b 53 40 49 aa 29 df de d7 |y..m.LUKS@I.)...|
then:
#losetup -o 0x61d3dec850 -r -f /dev/sdc
#losetup -a
/dev/loop0: [0005]:477209 (/dev/sdc), offset 420166420560
Ok so far, then this problem pops up:
#cryptsetup luksOpen /dev/loop0 luksrecover
Device /dev/loop0 is not a valid LUKS device.
Please advice how to proceed. Is it wrong offset? Should I seek for the magic number 0xEF53 identifying ext4 as adviced here https://unix.stackexchange.com/questions/103919/how-do-i-find-the-offset-of-an-ext4-filesystem ?
Mind you it's a 1TB drive so please I need an advice that does not force to scan the entire drive ( hours and hours) all over again if possible, such as testdisk which seems have no option to start at a specified offset to save time on scanning.
P.S. This was close , but not quite: https://unix.stackexchange.com/questions/177070/lvm-encrypted-partition-without-partition-table
Best Answer
The first obvious problem is you're looking in the wrong place. That's not a LUKS header.
The LUKS partition header starts with the six bytes, defined as
L,U,K,S, followed by 0xBA, 0xBE. As you can clearly see, two of those six bytes aren't present there.What you're looking for is pretty obvious:
You'll need to look elsewhere on the disk. Perhaps you need to back up a bit? Or forward. Or just let testdisk do its thing; if there's a valid LUKS header on the disk anywhere it should find it eventually.