Friday, 5 April 2019

How to open BitLocker drive on Ubuntu 18.04

If we have an external SSD encrypted with BitLocker and want to mount it and access it on Ubuntu we can use dislocker package.

dislocker(1) - Linux man page

We can install it from Ubuntu repository:

$ sudo apt install dislocker

Let's explore its arguments:

# dislocker --help
dislocker by Romain Coltel, v0.7.1 (compiled for Linux/x86_64)

Usage: dislocker [-hqrsv] [-l LOG_FILE] [-O OFFSET] [-V VOLUME DECRYPTMETHOD -F[N]] [-- ARGS...]



    -c, --clearkey        decrypt volume using a clear key (default)
    -f, --bekfile BEKFILE
                          decrypt volume using the bek file (on USB key)
    -F, --force-block=[N] force use of metadata block number N (1, 2 or 3)
    -h, --help            print this help and exit
    -k, --fvek FVEK_FILE  decrypt volume using the FVEK directly
    -l, --logfile LOG_FILE
                          put messages into this file (stdout by default)
    -O, --offset OFFSET   BitLocker partition offset, in bytes (default is 0)
    -p, --recovery-password=[RECOVERY_PASSWORD]
                          decrypt volume using the recovery password method
    -q, --quiet           do NOT display anything
    -r, --readonly        do not allow one to write on the BitLocker volume
    -s, --stateok         do not check the volume's state, assume it's ok to mount it

    -u, --user-password=[USER_PASSWORD]
                          decrypt volume using the user password method

    -v, --verbosity       increase verbosity (CRITICAL errors are displayed by default)

    -V, --volume VOLUME   volume to get metadata and keys from

    --                    end of program options, beginning of FUSE's ones

  ARGS are any arguments you want to pass to FUSE. You need to pass at least
the mount-point.

Now we need to create two directories: one where we want dislocker to place a virtual NTFS partition which will be created as file named dislocker-file and its mount point:

root@bobox:~# mkdir /media/bitlocker
root@bobox:~# mkdir /media/mount

To find the device name of the external drive, you can execute the following command (as root) before and after connecting it to your computer and then compare the outputs:

root@bobox:~# fdisk -l

In my case the difference was:

Disk /dev/sdb: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: dos
Disk identifier: 0xdeadbeef
Device     Boot Start        End    Sectors   Size Id Type
/dev/sdb1        2048 1953521663 1953519616 931.5G  7 HPFS/NTFS/exFAT

We can now decrypt the drive (note that we need root permissions):

root@bobox:~# dislocker -v -V /dev/sdb1 -uPASSWORD -- /media/bitlocker

Use -r to make BitLocker drive read-only.

Now we need to mount BitLocker drive onto the mount directory (note that we need root permissions here as well):

root@bobox:~# mount -o loop,rw /media/bitlocker/dislocker-file /media/mount

If we don't elevate to root, we'll get:

mount: only root can use "--options" option

If we haven't removed properly drive from Windows, we might get the following warning:

The disk contains an unclean file system (0, 0).
The file system wasn't safely closed on Windows. Fixing.

To check all arguments for mount:

$ mount --help


 mount [-lhV]
 mount -a [options]
 mount [options] [--source] <source> | [--target] <directory>
 mount [options] <source> <directory>
 mount <operation> <mountpoint> [<target>]

Mount a filesystem.


 -a, --all               mount all filesystems mentioned in fstab
 -c, --no-canonicalize   don't canonicalise paths
 -f, --fake              dry run; skip the mount(2) syscall
 -F, --fork              fork off for each device (use with -a)
 -T, --fstab <path>      alternative file to /etc/fstab
 -i, --internal-only     don't call the mount.<type> helpers
 -l, --show-labels       show also filesystem labels
 -n, --no-mtab           don't write to /etc/mtab
 -o, --options <list>    comma-separated list of mount options
 -O, --test-opts <list>  limit the set of filesystems (use with -a)
 -r, --read-only         mount the filesystem read-only (same as -o ro)
 -t, --types <list>      limit the set of filesystem types
     --source <src>      explicitly specifies source (path, label, uuid)
     --target <target>   explicitly specifies mountpoint
 -v, --verbose           say what is being done
 -w, --rw, --read-write  mount the filesystem read-write (default)

 -h, --help              display this help

 -V, --version           display version


 -L, --label <label>     synonym for LABEL=<label>
 -U, --uuid <uuid>       synonym for UUID=<uuid>
 LABEL=<label>           specifies device by filesystem label
 UUID=<uuid>             specifies device by filesystem UUID
 PARTLABEL=<label>       specifies device by partition label
 PARTUUID=<uuid>         specifies device by partition UUID
 <device>                specifies device by path
 <directory>             mountpoint for bind mounts (see --bind/rbind)
 <file>                  regular file for loopdev setup


 -B, --bind              mount a subtree somewhere else (same as -o bind)
 -M, --move              move a subtree to some other place
 -R, --rbind             mount a subtree and all submounts somewhere else
 --make-shared           mark a subtree as shared
 --make-slave            mark a subtree as slave
 --make-private          mark a subtree as private
 --make-unbindable       mark a subtree as unbindable
 --make-rshared          recursively mark a whole subtree as shared
 --make-rslave           recursively mark a whole subtree as slave
 --make-rprivate         recursively mark a whole subtree as private
 --make-runbindable      recursively mark a whole subtree as unbindable

For more details, see mount(8).

We can now browse files on encrypted disk mounted to local directory:

$ ls /media/mount/

To unmount drives use umount:

$ sudo umount /media/bitlocker


No comments: