Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Truecrypt Partition Accidentally Overwritten

Posted on 2010-08-26
Medium Priority
Last Modified: 2013-12-01
Truecrypt Partition Accidentally Overwritten: PLEASE HELP!


I mistakenly selected the wrong external HDD and deleted two partitions (simple wipe, no zero out) and created two new ones over top of them.  I caught the mistake right after I established the two new partitions and nothing has been written to the drive.  I have mounted the disk to my Mac to run TestDisk.

The original HDD partition arrangement:

Partition 1: Mac OS Extended named "Macintosh HD 2"
Partition 2: TrueCrypt Partition

The current situation:


The Ask:

Does anyone know of a solution to restore the TrueCrypt partition other then calling a data recovery specialist?  I don't have a backup of the partition header and the tools I've tried so far all seem to focus on retrieving files.  There aren't any that recover a partition table of an otherwise healthy volume.

I just need to restore the partition table to mount the drive via TrueCrypt to access the data.  I've read that it might be possible to recreate the same partition layout, but I don't want to attempt anything for fear of ruining my chances of recovery.


I referenced a lot of information from this EE question:

TestDisk wiki entry on TrueCrypt volume recovery:

I also went through TestDisk partition recovery and ended up hitting a road block where write access for the disk isn't available.

1 [Sudo] Root access
2 [Create] Create a new log file
3 Select the raw disk "/dev/rdisk2 - 500 GB/465 GiB (RO)"


4 "Write access for this media is not available."


5 [Continue] I go ahead and continue w/o write access
7 [Analyse]


8 [Quick Search]


Any and all help is greatly appreciated!
Question by:gnos
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
LVL 27

Accepted Solution

Tolomir earned 2000 total points
ID: 33539250
as the wiki entry says, you need a backup of the header to proceed.

If the header gets corrupted or the container reformatted, TrueCrypt will display Incorrect password or not a TrueCrypt volume.. Using a backup of the volume header is the only possibility to recover the data.

After restoring the backup you use testdisk to recover the remaining disk.


Truecrypt stores the decryption schema of a partition in the header, each header is unique, even when using the same password for the encryption, so there is no way to redo tasks and get "some header" back to get access to the partition.

Sorry but  you should really think of a backup plan next time.

LVL 27

Expert Comment

ID: 33539290
Just an explanation: the master key is not your password, but a unique key that is made during the truecrypt partition creation and used to encrypt the actual data.
The master key is only used internally to grant access to the data and it is unlocked when you enter the password.

You can change the header key deviation algorithm and truecrypt password for accessing the partition, changing the master key would involve modifying each bit in the encrypted volume, with todays large harddisks this would take several hours.

LVL 47

Expert Comment

ID: 33539771
It seems to me that your data is lost completely. Encrypted partitions are not designed to let someone to retrieve the data from any HDD which has been encrypted. Also data recovery specialist will not help you here as well.
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

LVL 27

Expert Comment

ID: 33540422
A data recovery specialist could recover the mentioned header. Even when deleted. Then he could unformat the deleted partition. There is no need to recover the encrypted
files, because the asker knows the password.
Default tools can only recover files in their original form. So they are of no use here.  
LVL 47

Expert Comment

ID: 33540663
Would be nice if recovery specialist could do that. One of my friends did work for encryption software company and he told me that recovery chances in such cases are very little.
LVL 27

Expert Comment

ID: 33541183
Well that depends on if the original data is overwritten.

If, in this case, the master key is not recoverable there is no way to decrypt the partition. You got no redundancy as on unencrypted data where guessing is possible. "w0rt" - could be "word" but "x5ersx" is what ....
LVL 47

Expert Comment

ID: 33543319
I will make it short and sweet.  Give up. There is no way to recover w/o the master key (or some quantum computers).

Expert Comment

ID: 33547851
If you want to try and recreate the partition table I suggest trying it on a clone of the drive.  Boot with a Linux rescue CD such as sysresccd.org and do a DD and copy 100% of the drive to another same size drive (or to a file) and then do the recovery test on the copy instead of the original.

I would even consider doing the DD across the network to a identically sized Virtual machine HDD (ie VHD) ...that way you can try your partition recreation after a snapshot is taken so that if it doesn't work you can undo the snapshot and try again....and again.

From a Linux virtual machine you should at least be able to see when it recognizes the Mac partion propertly then you could try connecting truecrypt.

But alas I don't give much hope, but it would be much faster to try iterations of changing the partition sizes than trying to crack the encyption which would never happen.


Expert Comment

ID: 33547872
Oops...I didn's see the response that the master key was in the partition table.  Yep no hope then.  Sorry.

Author Comment

ID: 33549057
Okay, thanks all.  I'm letting go of the data.
LVL 27

Expert Comment

ID: 33549734
If you intend to use encrypted partitions again, please use the suggestions to backup the data and export the header from the truecrypt volume.

It happened to me too, that I did kill an encrypted partition, luckily I had a 2 months old backup. So the dataloss was acceptible.  


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question