[Help needed] Recover deleted partition table

Hi,

While playing around with void Linux live, using KDE partitionmanager I accidentally deleted all qubes os partitions. (BIOS installation: boot partition + luks encrypted pool)

I’m really devastated as this luks partition contained really important information.

  • only one copy of ssh keys
  • not committed 1 month changes to my personal project, nobody else worked on
  • family pictures
  • above 200 positions browser bookmarks

I don’t really care if qubes boots up again, I just need to restore mentioned files (so lvm pool).

I’m not expert but I’ve tried my best:
I’ve read a little about testdisk but after choosing analyze ==> partition type intel it shows me only the:

Disk /dev/nvme0n1 - 500 GB / 465 GiB - CHS 476940 64 32
     Partition               Start        End    Size in sectors
>* Linux                    1   0  1  1024  63 32    2097152

So this seems to be the /boot one
But, where’s the luks?

After that I found this thread:
https://forum.cgsecurity.org/phpBB3/viewtopic.php?t=8108

But how do I find the luks header, it’s note explained there?

Then I searched this forum and found:

Because of that I’m scared to touch anything…

Fortunately I haven’t ended the live usb session that i did the deletion.

I really beg You, please help me…

Sorry @BBro, what you’re asking is above my pay-grade

If I were you I would read about ddresque, maybe you can find a solution there.
Maybe also google “LVM recovery”?

wise decision!
If you have a disk laying around of the same size or bigger, (or buy one) you could make an exact copy with dd before trying anything else. (but be careful!)

The hdd of my old laptop died…(it still spins, but controller is dead) I bought the exact same disk… now I’m waiting on a particular screw-driver (why do they have to use different/exotic ones?) to arrive so I can switch over the heads… hoping to be able to recover my data… so I know what you’re feeling :-s

Good luck!

If it was me, I wouldn’t touch it. I would take the drive out of your computer and bring it to a recovery specialist and see what they can do. Missing partitions on an encrypted disk means that you can make things worse by doing more. You risk overwriting crucial parts of the encrypted volume that would allow you to decrypt it with your password. Good luck…

1 Like

I called specialists and described whole situation.
It seems that NVMe drive have TRIM support, so probably there’s nothing left to restore as disk probably received TRIM command so controller started overwriting data… If I wanted them to check it regardless, it would cost an arm and a leg. Literally…

What I’ve learned from this situation is to always do backups and be careful with ssd drives as they are hard/impossible to restore.

KDE Partition Manager doesn’t appear to send a TRIM/discard command if you delete a partition. What it does is run wipefs --all on the partition before it is deleted, which in case it contained LUKS1 data (assuming we’re talking about Qubes R4.0.x; R4.1 would be LUKS2) merely changes its first six bytes from 4c 55 4b 53 ba be to zeros. Hence TestDisk can’t find it as is, but it’s still perfectly recoverable.

So don’t give up on your data just yet. I’d get one or two cheap backup drive(s) and make a complete disk image, as a first step.