This week, I learnt that even slightly modifying the header of a LUKS protected hard-disk will result in the complete and irretrievable destruction of all data on the disk. And I learnt it the hard way.
My old 1TB Seagate external hard-drive was damaged before by a write cycle that wouldn’t die a few years ago. At the time, I managed to rescue all the data with the checkdisk tool because it was using the NTFS filesystem.
This year, I reformatted the entire disk and experimented with a LUKS encrypted hard-disk running the ext4 filesystem. Two days ago, the worst came to pass, and my hard-disk began to make clicking noises the likes of which told me it would not be mountable properly.
Without reading anything about LUKS at the time, I proceeded to repeatedly attempt to decrypt my disk long enough to run fsck on the disk.
Which turned out in retrospect, to be the worst thing I could have done. As the FAQ for cryptsetup states:
First, disks die. The rate for well-treated (!) disk is about 5% per year, which is high enough to worry about. There is some indication that this may be even worse for some SSDs. This applies both to LUKS and plain dm-crypt partitions.
Second, for LUKS, if anything damages the LUKS header or the key-stripe area then decrypting the LUKS device can become impossible. This is a frequent occurrence.
Whether it was apparently damaged, or that I ran fsck which wrote things into the header, I had effectively found myself with a key to a doorknob that had mutated into an Eldritch horror. Whatever that was behind that door, is for all purposes, lost to all.
So let this be a warning to anyone using a LUKS encrypted drive. Backup your disk headers so that one day, should you find yourself under the unfortunate circumstances of a damaged hard drive, you will be able to change the doorknob with the one that worked with your key.