Encrypted storage appeared erased raw

Hello,
I have a nitrokey storage which worked like a charm these previous months on both Windows 10 and Linux Manjaro.
Since 2 days, I am unable to mount my encrypted volume both on Windows and Linux, both with nitrokey app 1.2.1 and 1.3.3. The firmware is version 0.50.
I manage to unlock the encrypted volume, but once unlocked, it does not show up, and windows asks to format it.
When I further look at the partition (unlocked) it shows as RAW

image753×524 27.8 KB

This behaviour occured just after I first created an OTP slot.

Any idea ?
Will I be able to get back the data in the encrypted volume?

Thanks for the support.

Hi edd39,

this sounds most unfortunate, but let’s see!

I would guess you either have somehow created a new AES key by creating the OTP (don’t know how) or the partitiontable got destroyed (the latter would be better somehow). Did you use the password safe before? Did you may play around with the smartcard’s features or alike (factory-reset, changing DOs)? Did you format the partition on Windows or on Linux? What filesystem type did you use? FAT32/vfat? (I am just poking around a bit).

Kind regards
Alex

Hello Alex,

Thank you for your support.
I am not sure the OTP creation and data diseapearance (temporary?) in the encrypted partition are linked, but there may be a time correlation. The other action being time related was updating the nitrokey application using the AUR package for Archlinux (in fact Manjaro).
Regarding your questions:
Did you use the password safe before?

• No

Did you may play around with the smartcard’s features or alike (factory-reset, changing DOs)?

• No (I have not even an idea of the above features)

Did you format the partition on Windows or on Linux? What filesystem type did you use? FAT32/vfat? (I am just poking around a bit).

• I initially formated the partition on Windows using FAT32.

Don’t hesitate to ask for any additional details.
Have a nice day

Hey,

did anything else change. So, do you use email encryption and is this still working normal or didn’t you ever used this function? What else did you use or did you always just use the encrypted storage an no other function of the Storage? Hidden volumes? Anything?

The reason I am asking is to figure out whether the AES key got deleted/changed or not. If it is not deleted I personally would try to use a data recovery tool for FAT32. Depending on how important the data stored is for you, you may want to ask a professional for this task or just try tools found on the web. This step is useless if the AES keys changed though.

Kind regards
Alex

Hello Alex,
Thank you for the follow-up.
I solely used the encrypted storage function until I tried to use the nitrokey for 2 factor authentification.
I haven’t used any other function (no email encryption, hidden volumes…).

Do you think the AES keys changed when creating the OTP?

Or do you think something corrupted the FAT32 partition and I should try to recover it?
If we go with the partition corruption, do you have any clue if the OTP creation/nitrokey use may have cause it, or if it would have been something else?

Have a nice day,
Best

Hello,

to be honest I am just not sure, what happened here. I do not see how one or the other could happen in the first place. It looks more like changed AES key, but I can’t say why this should have happened just by creating a OTP (at least, never seen this before). I am a litte lost here as well…

At least I doubt, that creating a OTP key could corrupt the partition itself.

@szszszsz Do you have any idea?

Kind regards
Alex

Hello Alex,

If I can run any type of diagnostic to provide some light, don’t hesitate to ask, I will be pleased to do it.
Is it a way to know if the AES key has been changed?

Thanks for the support!
Best

Hey edd39,

sorry for the late response!

So what I would probably do is testing with a kind of non-intrusive recovery tool (in the way, that it does not change things, but only read the disk). If it is just the filesystem which broke you don’t have any other option anyway, I guess.

If it is a changed AES key you probably have no option at all. I am sorry.

Maybe we are lucky and @szszszsz has an idea, but it seems that he isn’t available right now, sorry.

Kind regards
Alex

Thank you for the follow-up Alex,

Do you have any non-intrusive recovery tool to suggest to me? (either on windows or linux).

For a possible change of the AES key, is there any way to know if it was indeed changed? (some kind of log or any other modality?)

I now understand I probably will need to accept the data loss.
The good thing is that this will reinforce my backup process.

Have a nice day,
Best

Give a look to TestDisk.

ciao

luigi

Thank you Luigi, I will.

Best

Hello all,

I have used TestDisk and no partition was find (see below results).
I will reformat my encrypted volume to be able to use again.

Thanks for the support.
I will surely tell you if it happens again.
Best

Thu Jun  7 19:59:26 2018
Command line: TestDisk
TestDisk 7.0, Data Recovery Utility, April 2015

Partition table type (auto): None
Disk /dev/sdc - 28 GB / 26 GiB - Nitrokey Nitrokey Storage
Partition table type: Intel

Interface Advanced
New options :
 Dump : No
 Align partition: Yes
 Expert mode : No

Analyse Disk /dev/sdc - 28 GB / 26 GiB - CHS 27615 64 32
Current partition structure:

Partition sector doesn't have the endmark 0xAA55

search_part()
Disk /dev/sdc - 28 GB / 26 GiB - CHS 27615 64 32

Results

interface_write()
 
No partition found or selected for recovery

search_part()
Disk /dev/sdc - 28 GB / 26 GiB - CHS 27615 64 32
FAT32 at 0/0/7
FAT1 : 5166-18966
FAT2 : 18967-32767
start_rootdir : 32768 root cluster : 2
Data : 32768-56557535
sectors : 56557567
cluster_size : 32
no_of_cluster : 1766399 (2 - 1766400)
fat_length 13801 calculated 13801
heads/cylinder 255 (FAT) != 64 (HD)
sect/track 63 (FAT) != 32 (HD)
set_FAT_info: name from BS used

FAT32 at 0/0/7
     FAT32 LBA                0   0  1 27615  63 31   56557567 [NO NAME]
     FAT32, blocksize=16384, 28 GB / 26 GiB
Partition not added.
file_pread(6,16,buffer,10330192(5044/2/17)) read err: Input/output error
[...]
file_pread(6,11,buffer,56555710(27615/5/31)) read err: read after end of file

Results

interface_write()
 
No partition found or selected for recovery
simulate write!

write_mbr_i386: starting...
file_pread(6,1,buffer,0(0/0/1)) read err: read after end of file

Partition: Read error
Store new MBR code
write_all_log_i386: starting...
No extended partition

TestDisk exited normally.

I suppose a AES256 key change.

I have a self-made crypto partition (using veracrypt + passphrase + key file on smartcard/nitrokey’s DO1).
I’m comfortable but I’m keeping a non-encrypted copy on a different usb memory (that has been placed into a drawer at home). I’m not James Bond and I can accept a secondary and backup copy.

My suggestion is to keep a copy anyway, but it’s a general suggestion.
My secondary suggestion is to separate keys from the data, if you work at MI6, of course.

ciao

luigi