Where on the hard drive would Ubuntu Linux save encryption keys

data-recoveryhard drive

My encrypted hard drive, a Western Digital WD5000BPVT running Ubuntu 14.04, crashed and the person doing the data recovery on it is asking where the encryption key is stored on the hard drive so that he can focus his repairs in that area. He is also asking what kind of encryption it is and other info but I think I can find that in other questions.

He also told me I should try to find the original device because it might be encrypted with that laptop's serial number. It's very important to me that this guy does not find out what is on this hard drive because it's a cryptocurrency wallet and he could steal it without a trace.

Is it unreasonable for me to ask him just to make an image of the disk? Should I find a new recovery guy?

Best Answer

  • If you used Ubuntu's built-in encryption during the Ubiquity installation process, your disk was encrypted with LUKS.

    In a LUKS partition, the header is up to the first two mebibytes (2MiB). If you can't recover the header, you can't recover your data because the header contains the key to decrypt the rest of the partition.

    To get that key, you need a valid password or keyfile to match one of the eight key slots.

    I recommend keeping the password to yourself, especially since you don't seem to trust the data recovery technician. He seems to be clueless about the encryption, too: it's not encrypted with the laptop's serial number; you use a password to decrypt.

    Back up the LUKS header and partition

    You should image what you can of the disk, and keep an extra copy of the LUKS header. You can easily make a backup of the LUKS header with this command:

    cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file /media/sda2.luksHeaderBackup
    

    … where /dev/sda2 is the LUKS partition and /media/sda2.luksHeaderBackup is where you want to save the header backup.

    To rescue the LUKS partition, you can use gddrescue:

    ddrescue -Svv /dev/sda2 /somewhere/else/rescue.img /somewhere/else/ddrescue.log
    

    … where /somewhere/else is the path to a mount that has more free space than the size of /dev/sda2.

    gddrescue's map file at /somewhere/else/ddrescue.log can also help you identify what areas of your hard drive are unreadable.

    Reading the copied image

    To unlock /somewhere/else/rescue.img, use this command:

    cryptsetup luksOpen /somewhere/else/rescue.img rescue
    

    Enter your password, and cryptsetup will map the unlocked partition to /dev/mapper/rescue.

    You can now mount /dev/mapper/rescue:

    mount /dev/mapper/rescue /mnt
    

    And your files would be in /mnt.


    Edge case for consideration: Full disk image instead of partition image

    If you decide to make an image of the full disk rather than just the partition, you'd need to map the partition inside the full disk image.

    You can do this with one of these options (though other options do exist):

    # Option 1
    kpartx -av /somewhere/else/rescue.img
    
    # Option 2
    LODEVICE="$(losetup -f)"
    losetup -P "$LODEVICE" /somewhere/else/rescue.img
    

    You can then find your LUKS partition with this command:

    blkid /dev/loop* | grep crypto_LUKS
    

    If /dev/loop0p2 is your LUKS partition, you'd unlock /dev/loop0p2 instead of /somewhere/else/rescue.img.