Some years ago I created an encrypted partition on an external drive. Recently the controller seems to have died and I tried a data recovery using Testdisk. There is one NTFS partition which I could recover. In Testdisk I can even see the LUKS partition as 2 partitions: one I can recognize as the LUKS header and the other seems to be some other partition that starts where hte LUKS header starts and end where the disk ends:
estDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Disk /dev/sdb - 4000 GB / 3726 GiB - CHS 486401 255 63
Partition Start End Size in sectors
>* HPFS - NTFS 0 32 33 269464 5 45 4328937472 [Externe]
D Linux 269464 5 46 269464 70 46 4096
D Linux 269464 5 46 486397 33 36 3485030400
Question for me is,: How to recover this partition? It seems the data is there but how do I set up the partitions? Do I recover both? Only the first one?
gparted told me there is an issue with overlapping partitions. I thought it is because the NTSF partition ends on the same cylinder the LUKS partition starts but have since learned that it is supposed to be like that. gparted recognises the NTFS partition but sees the LUKS partition as unknown.
Have you tried to just open and mount the luks partition(s)?
So, just attach the drive to a linux computer and open the partition manually:
$ sudo cryptsetup luksOpen /dev/sdb3 my_crypt_part
$ sudo mount /dev/mapper/my_crypt_part /mnt
$ ls /mnt
(Where /dev/sdb3 is your encrypted luks partition. It might be somewhere else. If not sure, check with lsblk and replace /dev/sdb3 with the correct location).
Of course, the luksOpen command will ask for your password (the one for the encrypted drive).
It’s very unusual that the LUKS header is in its own partition, perhaps the partition table got altered by some tool.
Post the output of lsblk -f and sudo blkid for that external disc.
Goal is to try address that header partition in the cryptsetup command separately, e.g.:
sudo cryptsetup open /dev/sdb3 my_crypt_part --header /dev/sdb2
I think this is just how Testdisk displays it. This is the output after having tried to restore the bottom partition from the Testdisk output further up.
So, it’s one partition we look at, /dev/sdb2 in above output. cryptsetup will not recognise it like this anymore, no. A luks partition entry would have partition “TYPE=crypto LUKS” listed in both, lsblk and blkid.
Whatever you do now, don’t attach the disc while Windows is booted and ideally turn off Linux automount or change it to read-only for the external disc sdb.
I suppose this is after gparted’s “correction” of overlap you mentioned earlier. How did you try to restore it? What command did you run?
Does testdisc still recognise two Linux partitions like in your OP? If yes, we should try to write the supposedly header into a separate file (somewhere on sda) and see if cryptsetup recognises it as a --header.