[Encryption Recovery] Am I out of luck?

[Ibes]

I spaced on backing up my encryption key, and I tried to upgrade to FreeNAS 9.3 from ~9.1.4 (I think?). First, I tried using the GUI upgrade, but it got stuck in a boot loop with an error that I don't remember.

Then, I did a dd on the installer ISO to the flash drive.

Well, the install didn't work on that flash drive (some permissions error), so I ended up putting FreeNAS 9.3 on a separate flash drive.

It was about this time that I remembered that I had to get an encryption key off of the original 9.1.x install, but I had already used Win32DiskImager to write to the drive. So the partition table was toast.

What I'm hoping is that the partition described here is still in tact.

I have some experience digging through binary, so, if anyone can tell me anything about this partition (i.e. what format to look for and any signatures that might be consistent), that would be awesome.

I don't think I put a passphrase on it, if there was a passphrase, wouldn't I have had to type that password in to unlock the RAIDZ array upon boot?

Testdisk does something interesting when I run it on this disk. It finds this early on, but later erases it from the results. I'm thinking I might dig here first (though this will probably just end up being the ISO that I wrote to disk with Win32DiskImager.)
FreeBSD 120 41 1 120 40 63 0

Thanks!
-- Henry

 

[fracai]

If you're talking about the key stored on the 4th partition, you're probably out of luck as I think the installer includes all four partitions that get written when using 'dd'.

You still need the key, not having a password just means FreeNAS can unlock the key automatically.

 

[Ibes]

If you're talking about the key stored on the 4th partition, you're probably out of luck as I think the installer includes all four partitions that get written when using 'dd'.

Hmm, I guess what I'm looking to learn from this is where the key partition is stored. If the partition was built last in the installation, it could potentially still be after the ISO.

You still need the key, not having a password just means FreeNAS can unlock the key automatically.

Sorry, I didn't mean to imply that I believed that negated the need for the key. I was trying to establish whether or not that ruled out the need for the passphrase (I didn't remember setting one up.)

 

[anodos]

It might be a good idea to use dd to make a copy of the USB dive before trying to do forensics on it. That being said, the chances of success are slim to none. You might be better off just restoring from backups. Honestly, these sorts of problems are why I don't mess with encryption. I'm more afraid of losing my cat videos than having the govt look at them.

 

[Ibes]

It might be a good idea to use dd to make a copy of the USB dive before trying to do forensics on it. That being said, the chances of success are slim to none. You might be better off just restoring from backups. Honestly, these sorts of problems are why I don't mess with encryption. I'm more afraid of losing my cat videos than having the govt look at them.

I appreciate the advice. I made a backup of it almost immediately when I realized what I'd done. I've mostly come to the conclusion that the data is gone, but I'm willing to spend some time over the next few weeks to see if I can recover it. I'll have to dig through FreeNAS source code to see if I can find the format for that partition. Then I'll try to see if I can find any signatures on the image. *crossesfingers*

 

[Ibes]

Is there a chance anyone here knows any magic numbers for the partition or the type of partition so that I can look for it? It would make it a lot easier to see if it's there or already overwritten.

 

[Ibes]

In case anyone decides they want to try to find their key, I recommend this strategy:

Dump your entire device to image.dd

grep -aborE "[a-f0-9-]{36}\.key" image.dd

The output of this message will be a long filename you can search for.

That will tell you if there's a chance your key is still in tact.

bvi is a helpful hex editor for this sort of investigation.

Once you load up bvi, type / followed by your filename.

My key was just about 0x180 past the filename.

 

[Craig2]

Thank you Ibes! You're post helped me save about 7TB of data that I had accumulated over many years. A couple helpful tips for anyone else having to resort to this method:
1. Noticed that Ibes says the key is after the filename you find in bvi...don't try to carve out the filename..it won't work.
2. Here is a good article explaining how to carve the key out of your dd.img...http://scx030c064.blogspot.com/2013/02/carving-with-dd.html
3. I think you may need to name the resulting key that you carve out with the original name (not sure about his).
4. My key was 64 bytes in length..if you're getting some other number, you may be looking at the wrong place.

 

[Ibes]

Hah, stoked it was of help to someone else! I lost and recovered a similar amount of data.

Yeah, mine was 64 bytes as well, 0x40 length.