I’m trying to find my Qubes data after a partition problem. My drive data seems to be all there as I managed to mount another partition there. my Qubes in install was 4.01 or so (not sure).
I have the below mentioned 112.258 GB drive, plus the swap, on one drive with no problem. It is the mentioned 201.335 GB drive I am after.
How is it identified on disk? By some kind of LVM magic number?
This is the data I got from dracut:
physical_volumes {
pv0 {
id = "Wf70xv-UMGP-jq5J-CmH1-jFX4-OHGH-WZBrDX"
device = "/dev/mapper/luks-d6c940d9-2bdd-4ebb-93e9-12b9eac24012" # Hint only
status = ["ALLOCATABLE"]
flags = []
dev_size = 235423744 # 112.259 Gigabytes
pe_start = 2048
pe_count = 28738 # 112.258 Gigabytes
}
pv1 {
id = "4VL0R0-xnFu-FYgn-rfDt-Ntzy-chWu-E2Y9Q1"
device = "[unknown]" # Hint only
status = ["ALLOCATABLE"]
flags = ["MISSING"]
dev_size = 422230016 # 201.335 Gigabytes
pe_start = 2048
pe_count = 51541 # 201.332 Gigabytes
}
}
This is the approximate map of the drive, given what I found out already. This particular LUKS partition is something else, nothing to do with Qubes. The Qubes data I want is somewhere after all of this. The drive is 1TB in size.
what / start / end / size
Microsoft start / 32768 / 1433632767 / 1433600000
LUKS partition / 1433632768 / 1529120216 / 95487448
There’s no point in searching for an LVM signature of the missing pv1 on the drive, because it is encrypted inside a LUKS volume and hence random-looking. (I don’t think anything on the system would bother to make a persistent record of where on the drive the inner LVM physical volume was stored. It’s supposed to be portable across devices, and dynamically detected at runtime.)
You need to (have someone) find and reconstruct the outer LUKS volume storing pv1. The magic bytes identifying this LUKS volume seem to have been erased, which complicates things. If you’re lucky, the rest of the LUKS header and the content are still intact.
I can’t really help you with this, except to say that you should treat it as a data recovery problem that’s not specific to Qubes OS. You’re essentially looking for the offset of a partially overwritten LUKS volume containing an LVM physical volume.
If you hand it off to a data recovery specialist, by all that is holy give them an image file of the drive and not the drive itself because there’s a good chance it would be butchered.
Thanks for the information and for the advice. Do you know if the LUKS header for pv1 be created from the LUKS header for pv0?
I just made a backup of the LUKS header of pv0 (the first part of the LUKS encrypted LVM) to take a look at it, and I find that it includes the UUID of the LUKS partition on the first drive. So I will search for parts of the UUID of the second drive to see if I can find the LUKS header and the partition.