1

I have formated an encrypted disk, containing a LVM with a btrfs system.

All superblocks appear to be destroyed; the btrfs-progs tools can't find the root tree anymore and scalpel, binwalk, foremost & co return only scrap. The filesystem was on an ssd and mounted with -o compression=lzo.

How screwed am I? Any chances to recover some files? Is there a plausible way to rebuild the superblock manually? Checking the raw image with xxd gives me not a single readable word.

I managed to decrypt the LV and dd it to an image. What can I do?

cortex
  • 169
  • 1
  • 7
  • if you have decrypted logical volume, you should be able to file carve. Give that you can't, methinks it was not properly decrypted or at least the raw image is not decrypted. – Dan Mar 09 '18 at 17:12
  • Thank you for looking into this old post! Yes, I came to the same conclusion but I was not able to test or verity it yet. Sadly I've deleted the encryped image, but I might have the key that I've wrongly used to "decrypt" the volume. Is it possible to somehow reverse that operation? Is it possible to compute somekind of an inverse-key? I've used cryptsetup with serpent-xts-plain64 as cipher and a 512 or 4096-bit keyfile. – cortex Mar 09 '18 at 18:44
  • 2
    It should have given an error if the key was wrong. If the encrypted volume itself is gone I don’t believe there is more you can do. LVM + encryption makes data recovery much more challenging. This is where Btrfs snapshots shine... but only when you have taken them *before* recovery. Sorry, hard for me to recommend more. – Dan Mar 09 '18 at 19:19

0 Answers0