Skip to main content

Recover data from encrypted file systems

Hands-On Lab

 

Photo of Michael Christian

Michael Christian

Course Development Director in Content

Length

01:00:00

Difficulty

Advanced

In this exercise, you will recover an encrypted LUKS partition by using a backup LUKS header file.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Recover data from encrypted file systems

Introduction

In this exercise, you will recover an encrypted LUKS partition by using a backup LUKS header file.

Users have lost access to an encrypted volume after a disgruntled employee made changes to it. The issue has been escalated to you for resolution.

In the system documentation, it states a backup of the LUKS header exists at /root/vg_1-lv_1.header.

Solution

Start by logging in to the lab servers using the credentials provided on the hands-on lab page:

ssh cloud_user@PUBLIC_IP_ADDRESS

Become the root user:

sudo su -

Unlock the encrypted device

  1. Review the contents of /etc/crypttab:

    cat /etc/crypttab
  2. Review the contents of /etc/fstab:

    cat /etc/fstab
  3. Attempt to mount /luks:

    mount /luks
  4. Look for the unlocked device in /dev/mapper:

    ll /dev/mapper
  5. Attempt to open manually:

    cryptsetup luksOpen /dev/mapper/vg_1-lv_1 luks-vg_1-lv_1 --key-file /root/passphrase.key
  6. View the key slots:

    cryptsetup luksDump /dev/mapper/vg_1-lv_1
  7. No key slots are in use. Locate the header backup in /root/:

    ll /root/
  8. Restore header file:

    cryptsetup luksHeaderRestore /dev/mapper/vg_1-lv_1 --header-backup-file /root/vg_1-lv_1.header
  9. Type uppercase YES.

  10. Attempt to open manually again (using same key and name as /etc/crypttab:

    cryptsetup luksOpen /dev/mapper/vg_1-lv_1 luks-vg_1-lv_1 --key-file /root/passphrase.key
  11. Verify unlocked device:

    ll /dev/mapper

Mount the encrypted device

  1. Mount the unlocked device:

    mount /luks/
  2. View the files on the device:

    ll /luks/

Conclusion

Congratulations, you've completed this hands-on lab!