On Sat, Jun 22, 2024 at 12:35:56PM -0300, Crystal Kolipe wrote: > On Sat, Jun 22, 2024 at 03:02:29PM +0000, Anon Loli wrote: > > On Sat, Jun 22, 2024 at 11:51:53AM -0300, Crystal Kolipe wrote: > > > On Sat, Jun 22, 2024 at 01:02:04PM +0000, Anon Loli wrote: > > > > Hello list > > > > So I was trying to resolve the problem that I just submitted with the > > > > Installer, and I was putting a fresh install75 on my USB, the problem > > > > is that > > > > last DD/flash my USB was on sd2, and in meanwhile I attached my VERY > > > > IMPORTANT > > > > external drive to my computer which became sd2 with crypto volume > > > > attached as > > > > sd3, so it was mounted. > > > > > > There is a difference between the crypto volume being _attached_ and a > > > partition on it being _mounted_. > > > > > > In your case the crypto volume contained within sd2 was attached as sd3. > > > > > > But quite possibly none of the partitions on sd3 was mounted on /mnt. > > > > > > Now you have overwritten the beginning of sd2, which is where the > > > encryption > > > keys are stored. > > > > > > But since it was hopefully already attached a copy of these keys will be > > > in > > > RAM, despite the fact that you have trashed the on-disk copy. > > > > > > So don't reset the machine now, because that copy would be lost. > > > > > > What happens if you do: > > > > > > # mount -oro /dev/sd3X /mnt > > > > > > Replacing X with the partition that you actually had on the external disk, > > > (probably a or d). > > > > > > Are you able to see anything that was on the disk? > > > > > > If so, let us know and don't do anything else that might crash the > > > machine. > > > > > > > I sent a reply with some more info, do you still want me to proceed with > > `mount -oro`? > > No, the partition is already mounted. > > I'm assuming that you only had this one partition on the encrypted volume sd3, > and that it started at or near the beginning of the disk. In the unlikely > event that you had multiple partitions on it, the second and subsequent ones > might still be mountable and intact. > > In the more likely case that it was one large partition at the beginning, then > the first ~70 Mb of sd3 have also been lost, because that data was backed by > the first ~70 Mb of sd2 that you overwrote. > > The one glimmer of hope that you have is that you are almost certainly still > reading the data on the rest of sd3, (past the first ~70 Mb), correctly > decrypted, because the key is in RAM, (but overwritten on the disk). > > If the data was genuinely valuable as you describe, you might want to attach > a new storage volume that is at least as big as sd3, and write an image of sd3 > to that volume whilst you still can, (because once you reset the machine or > detach the sd3 volume the key will be lost). > > In theory most of your data would be recoverable from that image, but it would > require a lot of work and knowledge of ffs filesystem layout. > > If you do make an image of the disk, you could try searching it for ASCII > strings and if you found any then it would confirm that the encrypted data was > correctly decrypted at the time of copying. > > Oh, and in the future it's much easier to make backups than to go through this > nightmare of data recovery.
So what you're saying is that I need a new disk that's at least the size of the overwritten SSD, and then make an image of sd3 and copy it over to the new disk? I don't think that I have as you said enough knowledge about FFS... I can use the other computer that has enough storage space, but I can't install OpenBSD well, it's the other recent mail with "Installer" in name, if we solve that, then I can install OpenBSD on there and gain access to a drive where I can then copy over the image of sd3 over ssh then..
