Friday, 5 April 2019

How to open BitLocker drive on Ubuntu 18.04

If we have an external SSD encrypted with BitLocker and want to mount it and access it on Ubuntu we can use dislocker package.

dislocker(1) - Linux man page

We can install it from Ubuntu repository:

$ sudo apt install dislocker

Let's explore its arguments:

# dislocker --help
dislocker by Romain Coltel, v0.7.1 (compiled for Linux/x86_64)

Usage: dislocker [-hqrsv] [-l LOG_FILE] [-O OFFSET] [-V VOLUME DECRYPTMETHOD -F[N]] [-- ARGS...]



    -c, --clearkey        decrypt volume using a clear key (default)
    -f, --bekfile BEKFILE
                          decrypt volume using the bek file (on USB key)
    -F, --force-block=[N] force use of metadata block number N (1, 2 or 3)
    -h, --help            print this help and exit
    -k, --fvek FVEK_FILE  decrypt volume using the FVEK directly
    -l, --logfile LOG_FILE
                          put messages into this file (stdout by default)
    -O, --offset OFFSET   BitLocker partition offset, in bytes (default is 0)
    -p, --recovery-password=[RECOVERY_PASSWORD]
                          decrypt volume using the recovery password method
    -q, --quiet           do NOT display anything
    -r, --readonly        do not allow one to write on the BitLocker volume
    -s, --stateok         do not check the volume's state, assume it's ok to mount it

    -u, --user-password=[USER_PASSWORD]
                          decrypt volume using the user password method

    -v, --verbosity       increase verbosity (CRITICAL errors are displayed by default)

    -V, --volume VOLUME   volume to get metadata and keys from

    --                    end of program options, beginning of FUSE's ones

  ARGS are any arguments you want to pass to FUSE. You need to pass at least
the mount-point.

Now we need to create two directories: one where we want dislocker to place a virtual NTFS partition which will be created as file named dislocker-file and its mount point:

root@bobox:~# mkdir /media/bitlocker
root@bobox:~# mkdir /media/mount

To find the device name of the external drive, you can execute the following command (as root) before and after connecting it to your computer and then compare the outputs:

root@bobox:~# fdisk -l

In my case the difference was:

Disk /dev/sdb: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: dos
Disk identifier: 0xdeadbeef
Device     Boot Start        End    Sectors   Size Id Type
/dev/sdb1        2048 1953521663 1953519616 931.5G  7 HPFS/NTFS/exFAT

We can now decrypt the drive (note that we need root permissions):

root@bobox:~# dislocker -v -V /dev/sdb1 -uPASSWORD -- /media/bitlocker

Use -r to make BitLocker drive read-only.

Now we need to mount BitLocker drive onto the mount directory (note that we need root permissions here as well):

root@bobox:~# mount -o loop,rw /media/bitlocker/dislocker-file /media/mount

If we don't elevate to root, we'll get:

mount: only root can use "--options" option

If we haven't removed properly drive from Windows, we might get the following warning:

The disk contains an unclean file system (0, 0).
The file system wasn't safely closed on Windows. Fixing.

To check all arguments for mount:

$ mount --help


 mount [-lhV]
 mount -a [options]
 mount [options] [--source] <source> | [--target] <directory>
 mount [options] <source> <directory>
 mount <operation> <mountpoint> [<target>]

Mount a filesystem.


 -a, --all               mount all filesystems mentioned in fstab
 -c, --no-canonicalize   don't canonicalise paths
 -f, --fake              dry run; skip the mount(2) syscall
 -F, --fork              fork off for each device (use with -a)
 -T, --fstab <path>      alternative file to /etc/fstab
 -i, --internal-only     don't call the mount.<type> helpers
 -l, --show-labels       show also filesystem labels
 -n, --no-mtab           don't write to /etc/mtab
 -o, --options <list>    comma-separated list of mount options
 -O, --test-opts <list>  limit the set of filesystems (use with -a)
 -r, --read-only         mount the filesystem read-only (same as -o ro)
 -t, --types <list>      limit the set of filesystem types
     --source <src>      explicitly specifies source (path, label, uuid)
     --target <target>   explicitly specifies mountpoint
 -v, --verbose           say what is being done
 -w, --rw, --read-write  mount the filesystem read-write (default)

 -h, --help              display this help

 -V, --version           display version


 -L, --label <label>     synonym for LABEL=<label>
 -U, --uuid <uuid>       synonym for UUID=<uuid>
 LABEL=<label>           specifies device by filesystem label
 UUID=<uuid>             specifies device by filesystem UUID
 PARTLABEL=<label>       specifies device by partition label
 PARTUUID=<uuid>         specifies device by partition UUID
 <device>                specifies device by path
 <directory>             mountpoint for bind mounts (see --bind/rbind)
 <file>                  regular file for loopdev setup


 -B, --bind              mount a subtree somewhere else (same as -o bind)
 -M, --move              move a subtree to some other place
 -R, --rbind             mount a subtree and all submounts somewhere else
 --make-shared           mark a subtree as shared
 --make-slave            mark a subtree as slave
 --make-private          mark a subtree as private
 --make-unbindable       mark a subtree as unbindable
 --make-rshared          recursively mark a whole subtree as shared
 --make-rslave           recursively mark a whole subtree as slave
 --make-rprivate         recursively mark a whole subtree as private
 --make-runbindable      recursively mark a whole subtree as unbindable

For more details, see mount(8).

We can now browse files on encrypted disk mounted to local directory:

$ ls /media/mount/

To unmount drives use umount:

$ sudo umount /media/bitlocker



Jonathan said...

Simple procedure and easy to follow, worked great for me

Thanks man!

micheal pan said...

BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast 
you can be to get the new PROGRAMMED blank ATM card that is capable of
hacking into any ATM machine,anywhere in the world. I got to know about 
this BLANK ATM CARD when I was searching for job online about a month 
ago..It has really changed my life for good and now I can say I'm rich and 
I can never be poor again. The least money I get in a day with it is about 
$50,000.(fifty thousand USD) Every now and then I keeping pumping money 
into my account. Though is illegal,there is no risk of being caught 
,because it has been programmed in such a way that it is not traceable,it 
also has a technique that makes it impossible for the CCTVs to detect 
you..For details on how to get yours today, email the hackers on : ( ). Tell your 
loved once too, and start to live large. That's the simple testimony of how 
my life changed for good...Love you all ...the email address again is ;

Adam Corkett said...

Worked for me with Lubuntu 20.04 using the following:

sudo dislocker -v -V /dev/sdc1 -u -- /media/bitlocker

Where sdc1 was my bitlocked external hdd

DANIEL RAY said...


I was scammed of $573,000 worth of bitcoins with a scam forest investment unknowingly then, I didn’t know what to do.. I felt like committing suicide, but I fortunately for me I had a good start again after my friend introduced me to a cyber crime investigator ( Mr Morris Gray ) who helped me recovered all my stolen funds and profit that where held form me, by those bastard scammers, in just few days of working with him, if you feel scammed with fake forex company you don’t need to be worried, you can Text Him Via his Email: Morris Gray 830@ gmail . com or WhatsApp +1 (607) 698-0239. And he will recover your stolen coins back in your wallet account in full...he has all it takes and his a very straight forward person!!!
I recommend him too anyone out there, who has fall a victim of crypto scam before.