[dm-crypt] Corrupt LUKS-Header

Nicolai Voget nicolai at nicolaivoget.de
Mon Nov 14 20:03:26 CET 2011


Hi there,

on my home server I've got a RAID 5 consisting of 3 hard drives that
contains a dm-crypt partition with ext4.
Today, one of the 3 drives passed out and afterwards I got some
ext4-errors in dmesg.

Unfortunately I'm not home right now, nor for the next 4 days, so I
can't replace the harddrive, although I even think it's not necessary,
because it was just the USB-controller that passed out. Nevertheless, I
wanted to run some e2fsck on the partition to check whether there are
some errors or what dmesg was talking about.
Stupid me, I forgot that the partition was decrypted, so I ran the
e2fsck directly on the md0-RAID. Of course I got some errors, but didn't
really think about it, so e2fsck did some error correction, but
eventually it seemed weird, so I interrupted it. (I've attached the
output, e2fsck showed me, maybe it helps)

Of course, the LUKS-device won't mount any more for the LUKS header
seems to be overriden. Fortunately, the drive that passed out of the
RAID earlier (sda) has been the first device of the raid, thus holding
the first 64k (that is, until 0x10000) of LUKS-data (starting with "LUKS
… aes …" and so on). Unfortunately, the modification by e2fsck went on
to the second 64k of data, too. But by comparing the (original) data on
sda with that on md0, I can say that anything from 192k upwards
(0x30000) seems to be fine again.

Is there any chance of getting the missing data back? As far as I know,
there are some methods to get the data, that has been stored in a block,
although it has already been overridden. By the fact that I have one of
the drives unaltered, it should be possible, to judge which combinations
of data for the other two drives can be possible, because the must xor
to the data of the first drive, isn’t it?

I would be extremely thankful if anyone could help me out on this.

Regards,
Nicolai
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: e2fsck-output
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20111114/53e41417/attachment.ksh>


More information about the dm-crypt mailing list