((( this is a reply to an older email because I think it's more relevant than older emails )))
On Sat, Jun 22, 2024 at 12:35:56PM -0300, Crystal Kolipe wrote: > On Sat, Jun 22, 2024 at 03:02:29PM +0000, Anon Loli wrote: > > On Sat, Jun 22, 2024 at 11:51:53AM -0300, Crystal Kolipe wrote: > > > On Sat, Jun 22, 2024 at 01:02:04PM +0000, Anon Loli wrote: > > > > Hello list > > > > So I was trying to resolve the problem that I just submitted with the > > > > Installer, and I was putting a fresh install75 on my USB, the problem > > > > is that > > > > last DD/flash my USB was on sd2, and in meanwhile I attached my VERY > > > > IMPORTANT > > > > external drive to my computer which became sd2 with crypto volume > > > > attached as > > > > sd3, so it was mounted. > > > > > > There is a difference between the crypto volume being _attached_ and a > > > partition on it being _mounted_. > > > > > > In your case the crypto volume contained within sd2 was attached as sd3. > > > > > > But quite possibly none of the partitions on sd3 was mounted on /mnt. > > > > > > Now you have overwritten the beginning of sd2, which is where the > > > encryption > > > keys are stored. > > > > > > But since it was hopefully already attached a copy of these keys will be > > > in > > > RAM, despite the fact that you have trashed the on-disk copy. > > > > > > So don't reset the machine now, because that copy would be lost. > > > > > > What happens if you do: > > > > > > # mount -oro /dev/sd3X /mnt > > > > > > Replacing X with the partition that you actually had on the external disk, > > > (probably a or d). > > > > > > Are you able to see anything that was on the disk? > > > > > > If so, let us know and don't do anything else that might crash the > > > machine. > > > > > > > I sent a reply with some more info, do you still want me to proceed with > > `mount -oro`? > > No, the partition is already mounted. > > I'm assuming that you only had this one partition on the encrypted volume sd3, > and that it started at or near the beginning of the disk. In the unlikely > event that you had multiple partitions on it, the second and subsequent ones > might still be mountable and intact. > > In the more likely case that it was one large partition at the beginning, then > the first ~70 Mb of sd3 have also been lost, because that data was backed by > the first ~70 Mb of sd2 that you overwrote. > > The one glimmer of hope that you have is that you are almost certainly still > reading the data on the rest of sd3, (past the first ~70 Mb), correctly > decrypted, because the key is in RAM, (but overwritten on the disk). > > If the data was genuinely valuable as you describe, you might want to attach > a new storage volume that is at least as big as sd3, and write an image of sd3 > to that volume whilst you still can, (because once you reset the machine or > detach the sd3 volume the key will be lost). > > In theory most of your data would be recoverable from that image, but it would > require a lot of work and knowledge of ffs filesystem layout. > > If you do make an image of the disk, you could try searching it for ASCII > strings and if you found any then it would confirm that the encrypted data was > correctly decrypted at the time of copying. > > Oh, and in the future it's much easier to make backups than to go through this > nightmare of data recovery. > Okay, I now have a fresh big chunky encrypted drive on another machine and can transfer the image/files from the corrupted sd3i to it, but when I tried to run `dd if=/dev/sd3i | ssh destination "dd of=/mnt/somewhere/ssdimage bs=1m" or even to a regular file on the same machine, I got this: "dd: /dev/sd3i: Device busy" What does this mean? Did I lose the key from RAM or something else? Did I lose my data forever? :(
