How To Recover Data From An Encrypted Harddisk On Boot Failure With Ubuntu 14.04

Want to support HowtoForge? Become a subscriber!
 
Submitted by howtoforge (Contact Author) (Forums) on Wed, 2014-08-27 07:55. :: Linux | Ubuntu | Desktop | Security | Storage

How to recover data from an encrypted harddisk on boot failure with Ubuntu 14.04

Version 1.0
Author: Srijan Kishore
Last edited 27/Aug/2014

This document describes how to recover an encrypted harddisk in a failed boot device for Ubuntu 14.04 Server. This method will work for Ubuntu Desktop also. This is a very havoc situation when the distro fails to boot and we have our important data inside the distro. If the harddisk is not encrypted then we can easily retrieve our data with the help of live-cds or live-USB boot devices, but if the harddisk was encrypted then situation becomes little hectic. I will cover the topic for encrypted harddisk data retrieval from Ubuntu distros.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

This tutorial is based on Ubuntu 14.04 server, so you should set up a basic Ubuntu 14.04 server installation before you continue with this tutorial. The system should have a static IP address. I use 192.168.0.100 as my IP address in this tutorial and server1.example.com as the hostname. Again my harddisk is encrypted, its ecryption password is howtoforge.

2 Scenario

Suppose you have a working Ubuntu Server 14.04 with some website hosting and other data in the Ubuntu Server, any how the system fails to boot and your data is critical and you want it to get recover the data back so that you can get the setup in working condition again. In my case I have Ubuntu 14.04 with some data at /root as shown below, it is just an example your data content may vary according to your usage.

cd /root
ls -l

root@server1:~# ls -l
total 804868
-rw-r--r-- 1 root root 232783872 Aug 26 08:27 debian-7.5.0-amd64-netinst.iso
-rw-r--r-- 1 root root         0 Aug 26 08:37 test.doc
-rw-r--r-- 1 root root         0 Aug 26 08:37 test.jpg
-rw-r--r-- 1 root root         0 Aug 26 08:37 test.odt
-rw-r--r-- 1 root root         0 Aug 26 08:37 test.txt
-rw-r--r-- 1 root root 591396864 Aug 26 08:28 ubuntu-14.04-server-amd64.iso
root@server1:~#

And the folder size in my case was 787Mb:

du -sh

root@server1:~# du -sh
787M    .
root@server1:~#

Suppose my device encounter in a non booting situation and I am very much consistent for the data in folder /root, I will boot the device with a live USB/CD of Ubuntu 14.04 Desktop from this iso http://releases.ubuntu.com/14.04.1/ubuntu-14.04.1-desktop-amd64.iso.

Next we need to make its either CD/USB bootable device. Now we will boot the failed Ubuntu server 14.04 with the CD/USB device, Proceed to boot it from the bootable device as follows:

Click to enlarge


Choose Try Ubuntu:

Click to enlarge



You will get the window as shown above for the default desktop, now open the terminal and get into the root terminal as follows:

sudo -i
apt-get update

Now we need to install cryptsetup as it is responsible for encryption/decryption of data. As we have booted the machine in Ubuntu 14.04 desktop so might be in your case it would be pre-installed, if not then install it as:

apt-get install cryptsetup

Now we need to mount the internal harddisk, firstly we will check which drive was encrypted. We will check it as follows:

blkid | grep crypto

Click to enlarge


So we have /dev/sda5 available as encrypted drive, now we need it to mount it as follows:

cryptsetup luksOpen /dev/sda5 unlock

Click to enlarge

You can use any arbitrary value, as in my case I am using unlock. Further it will ask for passphrase which was the encryption password for the harddisk, in my case it was howtoforge:

Click to enlarge

After putting the password it will get decrypted, now we need to mount the drive as follows:

mount /dev/mapper/server1--vg-root /mnt

In my case there was lvm configured at /dev/mapper/server1--vg-root, you can check yours in the directory /dev/mapper. After successful mounting you can see the contents as before in the drive /mnt/root

cd /mnt/root
ls

Click to enlarge

It is the same data as before the boot failure. Now you can either use scp or usb copy for the data and you have successfully recovered your data.

Congratulations! We have successfully recovered the data from the encrypted harddisk in Ubuntu 14.04 :)

4 Links



Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by flapdoodle (not registered) on Wed, 2014-12-10 09:19.

Hi, I encrypted my home folder a while back when I installed Ubuntu 13.04 then I upgraded to 13.10, (silly me), got stuck in login loop, so I did a fresh install of 14.04.

Now I cant access my info on my home drive.

Will this tutorial be useful in my situation?

I know the passphrase and had some success mounting it but I didn't understand exactly where my info was.

Please see below.

I have tried a couple of things to mount/view my folder since I installed 14.04 but without success.
[LIST=1][*]ecryptfs-mount-private ERROR: Encrypted private directory is not setup properly[*]sudo ecryptfs-mount-private [sudo] password for beefcake: ERROR: Encrypted private directory is not setup properly[*]sudo -i encryptfs-mount-private -bash: encryptfs-mount-private: command not found[*]sudo ecryptfs-recover-private INFO: Searching for encrypted private directories (this might take a while)... INFO: Found [/media/beefcake/ad7119ef-aaa2-4e81-a16d-9f84687dcd7f/.ecryptfs/beefcake/.Private]. Try to recover this directory? [Y/n]: y INFO: Found your wrapped-passphrase Do you know your LOGIN passphrase? [Y/n] n INFO: To recover this directory, you MUST have your original MOUNT passphrase. INFO: When you first setup your encrypted private directory, you were told to record INFO: your MOUNT passphrase. INFO: It should be 32 characters long, consisting of [0-9] and [a-f]. Enter your MOUNT passphrase: INFO: Success! Private data mounted at [/tmp/ecryptfs.nLVycpoH].

 

Thanks

Lex