0

I have an ext4 LUKS partition where I "deleted" a file. (I moved one into other: mv /media/HDD/file1.txt /media/HDD/file2.txt where both file1.txt and file2.txt already existed).

Files in the directory had consecutive inode numbers so I can guess the one I lost using ls -il, let's call it 12345678.

I tried find -inum 12345678 -exec gedit {} \; to open it (which works with the rest of files), but since it only searches in the directory it doesn't work with my lost file.

I tried debugfs (unlocking first: udisksctl unlock -b /dev/sdb) like this:

~$sudo debugfs /dev/sdb
debugfs 1.45.5 (07-Jan-2020)
debugfs: Bad magic number in super-block while trying to open /dev/sdb
/dev/sdb contains a crypto_LUKS file system
debugfs:

The same happens if don't unlock the partition.

Why does it say "Bad magic number"? How can I make it open the file? Is there any other way to recover my file?

I'm running Ubuntu 20.04.

Improve this question
1
  • find -inum 12345678 cannot find any deleted i-node.
    – U. Windl
    Commented Apr 28, 2021 at 9:24

1 Answer 1

Reset to default
2

I tried debugfs (unlocking first: udisksctl unlock -b /dev/sdb) like this: […]

The same happens if don't unlock the partition. Why does it say "Bad magic number"?

LUKS doesn't change the way ext4 works. However, it changes where ext4 is.

Locking/unlocking a volume doesn't work like a toggle switch, it works like opening/closing a container. That is, when you "unlock" a LUKS volume, this doesn't change the original partition in any way – if /dev/sda1 contained encrypted LUKS data before, it'll still contain encrypted LUKS data afterwards, i.e. not ext4.

Instead the plaintext ext4 filesystem has to be accessed through a new device, usually /dev/mapper/luks-something, which filters read or written data through the LUKS encryption/decryption. So the correct command would be similar to:

sudo debugfs /dev/mapper/luks-whatever

(That aside, /dev/sdb is not a partition – it's the whole disk. Its partitions would have devices named /dev/sdb1, /dev/sdb2, and so on. It's relatively normal to have LUKS and/or ext4 directly on the whole disk, but that doesn't turn it into a partition.)

Is there any other way to recover my file?

The Arch Linux wiki recommends the ext4magic tool.

The older extundelete tool may also work, although it's outdated and does not work with ext4 filesystems using metadata checksums.

Because your ext4 filesystem is inside LUKS, all such tools need to be run on the "mapper" device that 'udisksctl unlock' has created – not on the raw disk.

Improve this answer
1
  • Thanks! It was at /dev/dm-0. And yes it was a whole disk, not a partition.
    – David Rubio
    Commented Oct 12, 2020 at 18:59

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .