If we have an external SSD encrypted with BitLocker and want to mount it and access it on Ubuntu we can use dislocker package.
dislocker(1) - Linux man page
We can install it from Ubuntu repository:
$ sudo apt install dislocker
Let's explore its arguments:
# dislocker --help
dislocker by Romain Coltel, v0.7.1 (compiled for Linux/x86_64)
Usage: dislocker [-hqrsv] [-l LOG_FILE] [-O OFFSET] [-V VOLUME DECRYPTMETHOD -F[N]] [-- ARGS...]
with DECRYPTMETHOD = -p[RECOVERY_PASSWORD]|-f BEK_FILE|-u[USER_PASSWORD]|-k FVEK_FILE|-c
Options:
-c, --clearkey decrypt volume using a clear key (default)
-f, --bekfile BEKFILE
decrypt volume using the bek file (on USB key)
-F, --force-block=[N] force use of metadata block number N (1, 2 or 3)
-h, --help print this help and exit
-k, --fvek FVEK_FILE decrypt volume using the FVEK directly
-l, --logfile LOG_FILE
put messages into this file (stdout by default)
-O, --offset OFFSET BitLocker partition offset, in bytes (default is 0)
-p, --recovery-password=[RECOVERY_PASSWORD]
decrypt volume using the recovery password method
-q, --quiet do NOT display anything
-r, --readonly do not allow one to write on the BitLocker volume
-s, --stateok do not check the volume's state, assume it's ok to mount it
-u, --user-password=[USER_PASSWORD]
decrypt volume using the user password method
-v, --verbosity increase verbosity (CRITICAL errors are displayed by default)
-V, --volume VOLUME volume to get metadata and keys from
-- end of program options, beginning of FUSE's ones
ARGS are any arguments you want to pass to FUSE. You need to pass at least
the mount-point.
Now we need to create two directories: one where we want dislocker to place a virtual NTFS partition which will be created as file named dislocker-file and its mount point:
root@bobox:~# mkdir /media/bitlocker
root@bobox:~# mkdir /media/mount
To find the device name of the external drive, you can execute the following command before and after connecting it to your computer and then compare the outputs:
root@bobox:~# fdisk -l
In my case the difference was:
Disk /dev/sdb: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: dos
Disk identifier: 0xdeadbeef
Device Boot Start End Sectors Size Id Type
/dev/sdb1 2048 1953521663 1953519616 931.5G 7 HPFS/NTFS/exFAT
We can now decrypt the drive:
root@bobox:~# dislocker -v -V /dev/sdb1 -uPASSWORD -- /media/bitlocker
Use -r to make BitLocker drive read-only.
Now we need to mount BitLocker drive onto the mount directory:
root@bobox:~# mount -o loop,rw /media/bitlocker/dislocker-file /media/mount
To check all arguments for mount:
$ mount --help
Usage:
mount [-lhV]
mount -a [options]
mount [options] [--source] <source> | [--target] <directory>
mount [options] <source> <directory>
mount <operation> <mountpoint> [<target>]
Mount a filesystem.
Options:
-a, --all mount all filesystems mentioned in fstab
-c, --no-canonicalize don't canonicalise paths
-f, --fake dry run; skip the mount(2) syscall
-F, --fork fork off for each device (use with -a)
-T, --fstab <path> alternative file to /etc/fstab
-i, --internal-only don't call the mount.<type> helpers
-l, --show-labels show also filesystem labels
-n, --no-mtab don't write to /etc/mtab
-o, --options <list> comma-separated list of mount options
-O, --test-opts <list> limit the set of filesystems (use with -a)
-r, --read-only mount the filesystem read-only (same as -o ro)
-t, --types <list> limit the set of filesystem types
--source <src> explicitly specifies source (path, label, uuid)
--target <target> explicitly specifies mountpoint
-v, --verbose say what is being done
-w, --rw, --read-write mount the filesystem read-write (default)
-h, --help display this help
-V, --version display version
Source:
-L, --label <label> synonym for LABEL=<label>
-U, --uuid <uuid> synonym for UUID=<uuid>
LABEL=<label> specifies device by filesystem label
UUID=<uuid> specifies device by filesystem UUID
PARTLABEL=<label> specifies device by partition label
PARTUUID=<uuid> specifies device by partition UUID
<device> specifies device by path
<directory> mountpoint for bind mounts (see --bind/rbind)
<file> regular file for loopdev setup
Operations:
-B, --bind mount a subtree somewhere else (same as -o bind)
-M, --move move a subtree to some other place
-R, --rbind mount a subtree and all submounts somewhere else
--make-shared mark a subtree as shared
--make-slave mark a subtree as slave
--make-private mark a subtree as private
--make-unbindable mark a subtree as unbindable
--make-rshared recursively mark a whole subtree as shared
--make-rslave recursively mark a whole subtree as slave
--make-rprivate recursively mark a whole subtree as private
--make-runbindable recursively mark a whole subtree as unbindable
For more details, see mount(8).
To unmount drives use umount:
$ sudo umount /media/bitlocker
dislocker(1) - Linux man page
We can install it from Ubuntu repository:
$ sudo apt install dislocker
Let's explore its arguments:
# dislocker --help
dislocker by Romain Coltel, v0.7.1 (compiled for Linux/x86_64)
Usage: dislocker [-hqrsv] [-l LOG_FILE] [-O OFFSET] [-V VOLUME DECRYPTMETHOD -F[N]] [-- ARGS...]
with DECRYPTMETHOD = -p[RECOVERY_PASSWORD]|-f BEK_FILE|-u[USER_PASSWORD]|-k FVEK_FILE|-c
Options:
-c, --clearkey decrypt volume using a clear key (default)
-f, --bekfile BEKFILE
decrypt volume using the bek file (on USB key)
-F, --force-block=[N] force use of metadata block number N (1, 2 or 3)
-h, --help print this help and exit
-k, --fvek FVEK_FILE decrypt volume using the FVEK directly
-l, --logfile LOG_FILE
put messages into this file (stdout by default)
-O, --offset OFFSET BitLocker partition offset, in bytes (default is 0)
-p, --recovery-password=[RECOVERY_PASSWORD]
decrypt volume using the recovery password method
-q, --quiet do NOT display anything
-r, --readonly do not allow one to write on the BitLocker volume
-s, --stateok do not check the volume's state, assume it's ok to mount it
-u, --user-password=[USER_PASSWORD]
decrypt volume using the user password method
-v, --verbosity increase verbosity (CRITICAL errors are displayed by default)
-V, --volume VOLUME volume to get metadata and keys from
-- end of program options, beginning of FUSE's ones
ARGS are any arguments you want to pass to FUSE. You need to pass at least
the mount-point.
Now we need to create two directories: one where we want dislocker to place a virtual NTFS partition which will be created as file named dislocker-file and its mount point:
root@bobox:~# mkdir /media/bitlocker
root@bobox:~# mkdir /media/mount
To find the device name of the external drive, you can execute the following command before and after connecting it to your computer and then compare the outputs:
root@bobox:~# fdisk -l
In my case the difference was:
Disk /dev/sdb: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: dos
Disk identifier: 0xdeadbeef
Device Boot Start End Sectors Size Id Type
/dev/sdb1 2048 1953521663 1953519616 931.5G 7 HPFS/NTFS/exFAT
We can now decrypt the drive:
root@bobox:~# dislocker -v -V /dev/sdb1 -uPASSWORD -- /media/bitlocker
Use -r to make BitLocker drive read-only.
Now we need to mount BitLocker drive onto the mount directory:
root@bobox:~# mount -o loop,rw /media/bitlocker/dislocker-file /media/mount
To check all arguments for mount:
$ mount --help
Usage:
mount [-lhV]
mount -a [options]
mount [options] [--source] <source> | [--target] <directory>
mount [options] <source> <directory>
mount <operation> <mountpoint> [<target>]
Mount a filesystem.
Options:
-a, --all mount all filesystems mentioned in fstab
-c, --no-canonicalize don't canonicalise paths
-f, --fake dry run; skip the mount(2) syscall
-F, --fork fork off for each device (use with -a)
-T, --fstab <path> alternative file to /etc/fstab
-i, --internal-only don't call the mount.<type> helpers
-l, --show-labels show also filesystem labels
-n, --no-mtab don't write to /etc/mtab
-o, --options <list> comma-separated list of mount options
-O, --test-opts <list> limit the set of filesystems (use with -a)
-r, --read-only mount the filesystem read-only (same as -o ro)
-t, --types <list> limit the set of filesystem types
--source <src> explicitly specifies source (path, label, uuid)
--target <target> explicitly specifies mountpoint
-v, --verbose say what is being done
-w, --rw, --read-write mount the filesystem read-write (default)
-h, --help display this help
-V, --version display version
Source:
-L, --label <label> synonym for LABEL=<label>
-U, --uuid <uuid> synonym for UUID=<uuid>
LABEL=<label> specifies device by filesystem label
UUID=<uuid> specifies device by filesystem UUID
PARTLABEL=<label> specifies device by partition label
PARTUUID=<uuid> specifies device by partition UUID
<device> specifies device by path
<directory> mountpoint for bind mounts (see --bind/rbind)
<file> regular file for loopdev setup
Operations:
-B, --bind mount a subtree somewhere else (same as -o bind)
-M, --move move a subtree to some other place
-R, --rbind mount a subtree and all submounts somewhere else
--make-shared mark a subtree as shared
--make-slave mark a subtree as slave
--make-private mark a subtree as private
--make-unbindable mark a subtree as unbindable
--make-rshared recursively mark a whole subtree as shared
--make-rslave recursively mark a whole subtree as slave
--make-rprivate recursively mark a whole subtree as private
--make-runbindable recursively mark a whole subtree as unbindable
For more details, see mount(8).
$ sudo umount /media/bitlocker
1 comment:
Pretty accessible guide, thanks !
Post a Comment