0

Recently, I stored a random keyfile for a LUKS encrypted drive on an unencrypted ext4 USB stick, since I was between OSs and needed to be able to access it. Later, my new OS was installed and I moved the keyfile to the drive with the OS on it and deleted it from the USB drive.

Some time after I deleted the file, the OS failed and I decided to reinstall, forgetting to backup the keyfile first. Thus, I think my only hope is to try to find the deleted keyfile off of the USB drive.

The drive I am trying to unlock holds backups and other data, the most notable of which is the files for my password manager. I am not certain this is the only copy of these, but my next guess would be an SD card that is currently missing, and I would rather just be able to recover all my data.

So far, I have tried to recover the file by running ext4magic -m on an image of the USB drive. Once it finished I looked through the application/octet-stream directory of it's recovered files and narrowed it down to one file through running file on the files (most weren't actually application/octet-stream!) and viming the rest to see if they looked like random data. I tried unlocking the disk with this file, but it failed.

What else should I do to try to recover my keyfile?

Improve this question

1 Answer 1

Reset to default
0

Worst case, you could try reading every block of the USB drive, selecting the appropriate length, and trying it as a key.

I wouldn't hold out much hope. The deleted data could have been "trimmed" and thus gone back into the wear leveling pool.

A starting point for a command:

dd if=<device> skip=<block-number> bs=4096 count=1 \
    | dd bs=<key-length> count=1 \
    | cryptsetup open ... --keyfile - ...

This would then be in a loop of the possible block numbers, and I wouldn't exclude anything.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.