From owner-freebsd-fs@freebsd.org Mon Mar 14 00:05:18 2016 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7AEEACF1D4 for ; Mon, 14 Mar 2016 00:05:18 +0000 (UTC) (envelope-from luislupe@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 29067FA7 for ; Mon, 14 Mar 2016 00:05:17 +0000 (UTC) (envelope-from luislupe@gmx.com) Received: from localhost ([95.95.94.35]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MCtLD-1aWDiP1pYZ-009g2h for ; Mon, 14 Mar 2016 01:05:10 +0100 Date: Mon, 14 Mar 2016 00:05:08 +0000 From: "Luis P. Mendes" To: freebsd-fs@freebsd.org Subject: Possible to recover encryption key after newfs? Message-ID: <20160314000508.GA24712@hp.tbl> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-Provags-ID: V03:K0:ZR1jv3vYDUTrFCnAsm9nmdyWinhOGHCYejDvhCcAvl9hCwwidN7 XChLJK4azF/z5Hf5vMgsFdo0DHHldi2uSLhLnzZ9jsc5xzLVOTpdBYQI8W0TB/r5O5dA+LZ pa2u9/27dpoyQYdNQSOnsJ7+3YTrdt+i3SMeIo5DyjOvmuzXmudBTN4a2raZjwEwAMJFfOC RbXa6ns/OTJotzt62OCkg== X-UI-Out-Filterresults: notjunk:1;V01:K0:CAACjL7CzT0=:y2wLAv8hRU+StqGAnNCtgt yRIfKRvjQl60aYb95m065jEO++3E/mtHbZqt1RG/Mj+30QyuDQ0AP0GufFN+aiTd4dBqME7Iu MsZedJUWG00/bAWVqqnxHfivm+7xRo/F5hQcskap51vf+goZtiGwLoWt7D3ntat7zwGU4VojO 1KBjjAzd/43OoVI/tTXcGWQSqZbN2hk7vm1b/j0rq/oajuavf2lMx7kH5afQ7mqYXQ2dAcGiQ EMjoyoLht/AQ+mxDKIbJbnOH2Tp/uPI5RYa9sreuPXtcbMB+oEZibE4tkm0JXxoh9Wybk0l7z 48hC0Sa0U3IsXgc6rWU5KR7tFTtDT+azykzj/JqCh6a2iWNqSY+NFDr0FlW/zndcU8IfmyQ2I WwN6spNVF2sqOnsawIyMSL1NSaKedfRjEur1EtoHQTO48+xQXIqSREsZ8nkZiuhQ6B0Q0D011 tvspAtxNKgOzV/ZROJWZG5q7ujPTVMNpkOrZobejTAFnLwP0ZAK4iosM1OIOGacEvcgsgqaRT 31QLe1HHP4RcYAvau188Pgmt5oLh5FMO0AqTgMpSDHEunwc7Uf5jUVGWkyj+MwVWJigWXoSYF 2AOA7t8Y0fyLbGux4WNViSqVB9poRAhtTE0MvqWGIzKpDeFdU8do6i+WV0LJlVIcZUJQ3hROn oCY8mXmM1KRCr8YfmVYvoG5D3KicHWjZ9+eKLZ4vmbbXpH+Y36kMnFzGggiEo2p4B/SGjiFqE gtZRWQIjb8dOG58wQ8GgQpp2StiDRyGgu7ywCWg1SGqu6Nd7yeplPQhdw4Y= X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Mar 2016 00:05:18 -0000 Hi, A couple years ago, right when I was formatting a second hard drive to serve as backup of the first, I accidentally made a `newfs` of the /root slice of the first disk where the geli encryption key was stored for the slice of the data compartment. I ran several undelete softwares but could not find the file that had a filename of ada0p8.key or something like that. I don't remember whether it was just a alphanumeric file or plain binary, perhaps with 128 bytes long, but not sure. As such, the file has no signature, so the recover process by undelete softwares was not possible by this way. I also tried to examine hex data, but since it's a big 2GB partition I couldn't find the key file. So, is there a way to be able to recover this file? Some little program to read byte by byte and seek for only alphanumeric characters that are 128 bytes long? (if it's alphanumeric and if it's 128 bytes long...) Any other clues? -- Luis Mendes