On Sat, Jun 22, 2024 at 03:02:29PM +0000, Anon Loli wrote: > On Sat, Jun 22, 2024 at 11:51:53AM -0300, Crystal Kolipe wrote: > > On Sat, Jun 22, 2024 at 01:02:04PM +0000, Anon Loli wrote: > > > Hello list > > > So I was trying to resolve the problem that I just submitted with the > > > Installer, and I was putting a fresh install75 on my USB, the problem is > > > that > > > last DD/flash my USB was on sd2, and in meanwhile I attached my VERY > > > IMPORTANT > > > external drive to my computer which became sd2 with crypto volume > > > attached as > > > sd3, so it was mounted. > > > > There is a difference between the crypto volume being _attached_ and a > > partition on it being _mounted_. > > > > In your case the crypto volume contained within sd2 was attached as sd3. > > > > But quite possibly none of the partitions on sd3 was mounted on /mnt. > > > > Now you have overwritten the beginning of sd2, which is where the encryption > > keys are stored. > > > > But since it was hopefully already attached a copy of these keys will be in > > RAM, despite the fact that you have trashed the on-disk copy. > > > > So don't reset the machine now, because that copy would be lost. > > > > What happens if you do: > > > > # mount -oro /dev/sd3X /mnt > > > > Replacing X with the partition that you actually had on the external disk, > > (probably a or d). > > > > Are you able to see anything that was on the disk? > > > > If so, let us know and don't do anything else that might crash the machine. > > > > I sent a reply with some more info, do you still want me to proceed with > `mount -oro`?
No, the partition is already mounted. I'm assuming that you only had this one partition on the encrypted volume sd3, and that it started at or near the beginning of the disk. In the unlikely event that you had multiple partitions on it, the second and subsequent ones might still be mountable and intact. In the more likely case that it was one large partition at the beginning, then the first ~70 Mb of sd3 have also been lost, because that data was backed by the first ~70 Mb of sd2 that you overwrote. The one glimmer of hope that you have is that you are almost certainly still reading the data on the rest of sd3, (past the first ~70 Mb), correctly decrypted, because the key is in RAM, (but overwritten on the disk). If the data was genuinely valuable as you describe, you might want to attach a new storage volume that is at least as big as sd3, and write an image of sd3 to that volume whilst you still can, (because once you reset the machine or detach the sd3 volume the key will be lost). In theory most of your data would be recoverable from that image, but it would require a lot of work and knowledge of ffs filesystem layout. If you do make an image of the disk, you could try searching it for ASCII strings and if you found any then it would confirm that the encrypted data was correctly decrypted at the time of copying. Oh, and in the future it's much easier to make backups than to go through this nightmare of data recovery.
