Tuesday, April 22, 2014

Using dislocker to mount BitLocker encrypted devices on Linux

dislocker is a free utility, which can be used to mount BitLocker encrypted volumes on Linux. Here is a quick guide how to use it. I installed it on Kali Linux, but it can be installed anywhere.

To download the application visit:
http://www.hsc.fr/ressources/outils/dislocker/download/
http://www.hsc.fr/ressources/outils/dislocker/download/dislocker.tar.gz

Once downloaded extract the file:

root@kali:~# tar -xvf dislocker.tar.gz 

We have to options for comiling: w/ or w/o FUSE. Basically if we use FUSE we will be able to mount it, and browse it, if not, then the only way to check the contents is to decrypt the full drive, which is not that efficient. So let's go for FUSE here. Edit the Makefile, and set __RUN_FUSE to 1 and __RUN_FILE to 0:

dislocker/src/Makefile

# Choose between one of them (done automatically by using `make fuse' or `make file')
__RUN_FUSE = 1


Then compile the app:

root@kali:~/dislocker/src# make
gcc -Wall -Werror -Wextra -Wconversion -DPROGNAME=\"dislocker\" -DVERSION=\"0.3\" -D_FILE_OFFSET_BITS=64 -I/usr/include -I. -L/usr/lib64 -D__ARCH_X86_64 -D__RUN_FUSE -DFUSE_USE_VERSION=26 -c -o outputs/fuse/fuse.o outputs/fuse/fuse.c
In file included from ./dislocker.h:28:0,
                 from outputs/fuse/fuse.c:33:
./outputs/fuse/fuse.h:32:19: fatal error: fuse.h: No such file or directory
compilation terminated.
make: *** [outputs/fuse/fuse.o] Error 1

If you get the error above you will need the FUSE header files, to install those run:

apt-get install libfuse-dev

and then compile dislocker, it should be good now.

root@kali:~/dislocker/src# make
root@kali:~/dislocker/src# make install

Once it's installed let's the help:


For decryption you can use the recovery key (decryption key), the user supplied password or the bekfile.

I created a VHD test image for this, here are the details:

root@kali:~# fdisk -l

Disk /dev/sdb: 104 MB, 104857600 bytes
255 heads, 63 sectors/track, 12 cylinders, total 204800 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x6fa418dc

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1             128      198783       99328    7  HPFS/NTFS/exFAT

I will need to decrypt /dev/sdb1. First I will try it using the decryption keys. The steps are to read the volume, and then mount it with fuse. When we first read in the volume (decrypt) we will get a single file, called "dislocker-file", which can be mounted later. There is a single file on my test drive.

root@kali:~# dislocker -v -V /dev/sdb1 -p275374-090651-082764-392205-130460-581966-062942-402083 -- /mnt/tmp
root@kali:~# ls /mnt/tmp/
dislocker-file
root@kali:~# mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis
root@kali:~# ls /mnt/dis/
my super secret file.txt.txt  $RECYCLE.BIN  System Volume Information
root@kali:~# cat /mnt/dis/my\ super\ secret\ file.txt.txt 
You got it!


The process is very similar if we use the actual password, which is "password" in this case.

root@kali:~# dislocker -v -V /dev/sdb1 -upassword -- /mnt/tmp2root@kali:~# mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis2
root@kali:~# ls /mnt/dis2/
my super secret file.txt.txt  $RECYCLE.BIN  System Volume Information
root@kali:~# cat /mnt/dis2/my\ super\ secret\ file.txt.txt 
You got it!


40 comments:

Mike said...

Thank you for your clear description of this process - it may have helped me this morning.

The operation seemed to have been successful. There were no errors, and the new drive appears in the folder tree. However, when I navigate to it, I get the error "The specified directory /xx/xxx is not valid". I can hear the computer humming away, so I assume it's still decrypting. Does this seem reasonable? Any idea how long this might take for a 300GB drive?

Csaba Fitzl said...

Mike,

I always used dislocker with fuse, in which case it won't decrypt the drive ahead, it should work right away. Have you created the directories, where you mounted them? In my example I had to create these folders, before mounting to them: /mnt/tmp/ and /mnt/dis/

Mike said...

Hmm - my attempt was also with fuse. I did create the folders in advance. Perhaps it's related to the fact that I'm using a live USB, rather than a real linux install. I didn't use /mnt/*, but tried mounting within /home/desktop/*

Mike said...

YAY! It did work as described. I had just neglected to enter the final mnt command (i.e. mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis)

Thanks so much!

Csaba Fitzl said...

Welcome! Glad that it worked :)

Tom said...

I am testing this app, but without success. I installed dislocker fuse on Kali Linux 1.07 running on USB Live. I install libfuse-dev and "make fuse" and "make install". Everything seem to be ok as the instructions states. I know the user password and "fdisk -l" shows sda1, so I try

"dislocker -v -V /dev/sda1 -u"my_password" -- /mnt/tmp2".

The response is:
"[ERROR] Error, cant find a valid and matching VMK datum. Abort.
[CRITICAL] None of the provided decryption mean is decrypting the keys. Abort"

I tried both with and without "-- /mnt/tmp2", no difference. If I do not specify the password parameter "-upassword", it of course asks for the password, but the response in the same.

Any ideas?

Csaba Fitzl said...

Tom,

Is the password correct? isn't the disk corrupted? Can you try my test image if that gives the same error?

Anonymous said...

I can't mount the dislocker-file. I must specify the filesystem type but when I use ntfs it shows me following:

ubuntu@ubuntu:~/Desktop/dislocker/src$ sudo mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis -t ntfs
Failed to read last sector (3886049279): Invalid argument
HINTS: Either the volume is a RAID/LDM but it wasn't setup yet,
or it was not setup correctly (e.g. by not using mdadm --build ...),
or a wrong device is tried to be mounted,
or the partition table is corrupt (partition is smaller than NTFS),
or the NTFS boot sector is corrupt (NTFS size is not valid).
Failed to mount '/dev/loop1': Invalid argument
The device '/dev/loop1' doesn't seem to have a valid NTFS.
Maybe the wrong device is used? Or the whole disk instead of a
partition (e.g. /dev/sda, not /dev/sda1)? Or the other way around?

Can somebody help me plz? Thanks

Michael said...

When using that mount point it throws the error:

dislocker -v -V /dev/sdd1 -upassword /mnt/tmp2
fuse: bad mount point `/mnt/tmp2': No such file or directory

I solver it creating the mount point at /root/tmp2/

Also, does it support mounting as read/write? Would be awesome.

Unknown said...

Michael,

You can mount read/write, although this doesn't work with Windows 8.

When you mount a Win 8 drive it will silently mount as ro (even though mount shows as rw).

The source code says that Windows 8 isn't supported yet.

Aftersox said...

Thanks for the post. I was able to mount a drive that was sent to me on Ubuntu 14.04 server. Here is a brief synopsis of what I did.

After installation:

sudo su
cd /media
mkdir dis1
mkdir dis2
dislocker -v -V /dev/sdf1 -upassword /media/dis1
mount -o loop,ro /media/dis1/dislocker-file /media/dis2
cd /media/dis2
ls

Aftersox said...

Thanks for the post. I was able to mount a drive that was sent to me on Ubuntu 14.04 server. Here is a brief synopsis of what I did.

After installation:

sudo su
cd /media
mkdir dis1
mkdir dis2
dislocker -v -V /dev/sdf1 -upassword /media/dis1
mount -o loop,ro /media/dis1/dislocker-file /media/dis2
cd /media/dis2
ls

Unknown said...

It wont complie even after using
apt-get install libfuse-dev

Here's what i get:

ubuntu@ubuntu:~/dislocker/src$ sudo make
make[1]: Entering directory `/home/ubuntu/dislocker/src/polarssl'
make[1]: Leaving directory `/home/ubuntu/dislocker/src/polarssl'
make[1]: Entering directory `/home/ubuntu/dislocker/src/accesses'
make[2]: Entering directory `/home/ubuntu/dislocker/src/accesses/bek'
make[2]: Leaving directory `/home/ubuntu/dislocker/src/accesses/bek'
make[2]: Entering directory `/home/ubuntu/dislocker/src/accesses/rp'
make[2]: Leaving directory `/home/ubuntu/dislocker/src/accesses/rp'
make[2]: Entering directory `/home/ubuntu/dislocker/src/accesses/user_pass'
make[2]: Leaving directory `/home/ubuntu/dislocker/src/accesses/user_pass'
make[1]: Leaving directory `/home/ubuntu/dislocker/src/accesses'
make[1]: Entering directory `/home/ubuntu/dislocker/src/metadata'
make[1]: Leaving directory `/home/ubuntu/dislocker/src/metadata'
make[1]: Entering directory `/home/ubuntu/dislocker/src/ntfs'
make[1]: Leaving directory `/home/ubuntu/dislocker/src/ntfs'
make[1]: Entering directory `/home/ubuntu/dislocker/src/encryption'
make[1]: Leaving directory `/home/ubuntu/dislocker/src/encryption'
gcc -Wall -Werror -Wextra -Wconversion -DPROGNAME=\"dislocker\" -DVERSION=\"0.3\" -D_FILE_OFFSET_BITS=64 -I/usr/include -I. -L/usr/lib64 -D__ARCH_X86_64 -D__RUN_FUSE -DFUSE_USE_VERSION=26 -o dislocker dislocker.o common.o sectors.o config.o xstd/xstdio.o xstd/xstdlib.o outputs/fuse/fuse.o metadata/datums.o metadata/metadata.o metadata/vmk.o metadata/fvek.o metadata/extended_info.o accesses/rp/recovery_password.o accesses/bek/read_bekfile.o accesses/user_pass/user_pass.o accesses/stretch_key.o encryption/decrypt.o encryption/encrypt.o encryption/diffuser.o encryption/crc32.o ntfs/guid.o ntfs/clock.o ntfs/encoding.o polarssl/aes.o polarssl/sha2.o -lpthread -lfuse
dislocker.o: In function `main':
dislocker.c:(.text+0x87e): undefined reference to `file_main'
collect2: error: ld returned 1 exit status
make: *** [dislocker] Error 1

Anonymous said...

Hi, Great page, but would you mind updating this with some changes?

1. polarssl-dev not included in Trusty universe so likely should be compiled and installed from polarssl. Pull from git and install.

2. Therefore Makefile should be edited, but I don't know where:
I discovered this won't work:
LIB = -lpthread -lpolarssl -L. -L/usr/local/lib -L/usr/local/include/polarssl/

Fuse related varibles no longer included so cannot enable FUSE like _RUN

Anonymous said...

Hi,

This happened when I tried polarssl-dev.

root@ubuntu:/usr/lib# apt-get install polarssl-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package polarssl-dev

I have 14.04 LTS universe added into sources.lst && apt-get update.

No idea.

Anonymous said...

Something has changed since the creating of the make file. The process does not currently work but when manually installing libfuse-dev and libpolarssl-dev the rest of the process works as normal.

Process that worked for us was:

Extract the files to the desktop
Cd to the src directory in the dislocker extracted folder on the desktop
Enable universe (community maintained open-source software)
In terminal perform the following commands
apt-get install libfuse-dev
apt-get install libpolarssl-dev
make
make install
mkdir /mnt/tmp
dislocker –v –V /dev/sda2 –p -- /mnt/tmp
Enter the recovery password for the computer (access this via Active Directory on another computer)

Anonymous said...

hi and thanks for your description.
I can't write folders and files, (read only)..
(Muralex, using Linux Manjaro)

Unknown said...

Looks promising, but.. I am getting this error and Google reveals nothing!

[CRITICAL] The signature of the volume (MSWIN4.1) doesn't match the BitLocker's one (-FVE-FS-). Abort.

Any ideas?
Peter

Brandon said...

Hello,

I am getting the exact same error as Tom. The compile and make and all that went smoothly but I still get that error that Tom also had. The password is correct too.

Anonymous said...

I am also getting the same error as Tom.

James Dixon said...

Dushyant, try instaling polarisssl-dev and see if it compiles. I had a similar problem, and that fixed it for me.

Dopefish said...

Hey guys...

I'm new to Linux and just worked out a way to update Kali Linux and install dislocker. I'll leave it here, in case it can help someone else...


Using Kali Linux 1.0.9a i386 bootable DVD

Edit "/etc/apt/sources.list" and add "deb http://us.archive.ubuntu.com/ubuntu trusty main universe"

Install programs using Terminal
"apt-get update"
"apt-get install git libfuse-dev libpolarssl-dev" Continue through update text, allow services to restart if needed
"git clone git://github.com/Aorimn/dislocker.git"
"cd /dislocker/src"
"make"
"make install"

Find drive Bitlocker volume
"fdisk -l"

Make folders in /MNT
"TMP"
"DIS"

Run dislocker
"dislocker -v -V /dev/ -p -- /mnt/tmp"

Check if file exists to confirm proper Bitlocker key
"ls /mnt/tmp"
Should return "dislocker-file" if correct

Mount volume
"mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis"

Browse to "/mnt/dis" for access to files

Csaba Fitzl said...

The error:
[CRITICAL] The signature of the volume (MSWIN4.1) doesn't match the BitLocker's one (-FVE-FS-). Abort.

Is most likely because dislocker doesn't support FAT file system.

See here:
https://github.com/Aorimn/dislocker/issues/3

Shargon said...

How to do a bruteforce with this tool?

Mayuresh Srivastava said...

Hi All

I ma getting below error while using make and make install:

[root@mayuresh src]# make
cc -Wall -Werror -Wextra -Wconversion -DPROGNAME=\"dislocker\" -DVERSION=\"0.4.1\" -D_FILE_OFFSET_BITS=64 -DAUTHOR="\"Romain Coltel\"" -D__OS=\"Linux\" -D__ARCH=\"i686\" -D__ARCH_I686 -D__LINUX -I. -I/usr/local/include -fstack-protector -fPIC -D_FORTIFY_SOURCE=2 -O1 -c -o accesses/stretch_key.o accesses/stretch_key.c
accesses/stretch_key.c: In function ‘stretch_key’:
accesses/stretch_key.c:137:3: error: conversion to ‘int’ from ‘size_t’ may change the sign of the result [-Werror=sign-conversion]
cc1: all warnings being treated as errors
make: *** [accesses/stretch_key.o] Error 1

[root@mayuresh src]# make install
cc -Wall -Werror -Wextra -Wconversion -DPROGNAME=\"dislocker\" -DVERSION=\"0.4.1\" -D_FILE_OFFSET_BITS=64 -DAUTHOR="\"Romain Coltel\"" -D__OS=\"Linux\" -D__ARCH=\"i686\" -D__ARCH_I686 -D__LINUX -I. -I/usr/local/include -fstack-protector -fPIC -D_FORTIFY_SOURCE=2 -O1 -c -o accesses/stretch_key.o accesses/stretch_key.c
accesses/stretch_key.c: In function ‘stretch_key’:
accesses/stretch_key.c:137:3: error: conversion to ‘int’ from ‘size_t’ may change the sign of the result [-Werror=sign-conversion]
cc1: all warnings being treated as errors
make: *** [accesses/stretch_key.o] Error 1

[root@mayuresh src]# date
Mon Jul 6 22:58:32 IST 2015
[root@mayuresh src]# pwd

/home/mayur/Downloads/dislocker/src
[root@mayuresh src]#

Can anyone help me?

emre said...

Is it suppose to be read only? I can't write.

gigasea said...

@e m r e

Yes, It's supposed to be read only.

Thanks for the tutorial,It helped me to migrate all my bit locker data to Linux, saves me from installing a VM :D

aloudw said...

Hello, Sir..
Thank you for the tutorial. I can now open my BitLocker drive.
I am using Ubuntu 15.04 and while installing and encountered errors I am just install libpolarssl-dev and libfuse-dev and everything works just fine.

But for a moment I mount the drive, would you explain what is "loop" in mount option? I've tried using and not using this option and both works. Is it matters while mounting an encrypted device?
Thanks again..

Anonymous said...

Please can you explai your step by steps as i keep getting issues with ubuntu 15

Unknown said...

hey i am having issues trying to run the make file command i get this error permission denied

Anonymous said...

Hi,

I've done the decryption using:
sudo dislocker -r -V /dev/sdb2 -pxxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx -- /media/bitlocker

But, I never got the dislocker-file in /media/bitlocker

Please help with this it is critical!!


Unknown said...

Kayot

I'm trying to mount a GPT partition. I use the following command;

dislocker -v -V /dev/sdb1 -u -- /media/bit/

I get the error;

[ERROR] The sector size found is null.
[CRITICAL] Cannot parse volume header. Abort.

Does dislocker not work with GPT disks?

Andrei1 said...

Hi, I'm new to linux but when I try to enter: "dislocker/src/Makefile" I get a error:"No such file or directory"
What should I do?

Andrei1 said...

Hi, I'm new to linux, but when I try to enter: "dislocker/src/Makefile" I get a error:"No such file or directory"
What should I do?
Thanks in advance!

Anonymous said...

Is it possible to shrink the drive using gParted or so? Just to free up space for another (unencrypted) partition.

Anonymous said...

Hi: Thanks for the article. Does it have to be read-only at both the dislocker and mount commands? Thanks in advance. SRoy

paulstelian97 said...

I have tried read-write and it works just fine. Of course, with the caveats of using NTFS on Linux. Any forced unmounts may (consider it will) corrupt the file system and it's possible Windows' chkdsk will be unable to fix that.

Right now I'm working with read write Bitlocker encrypted partitions with no issues. Of course, I have to use Dislocker for one reason: I actually have lost my Windows install and I'm not planning on installing Windows again soon.

StrangeAttractor said...

Thank you for the article; but I would like to add a few comments, especially for those running Arch Linux as myself.

To install, I had to grab the package of the AUR, just do a search for "dislocker" and I chose the first one, not "dislocker-git". After cloning the source I simply compiled and installed with one command "makepkg -si"

Once that completed I just wanted to double check the device info for my bitlocker encrypted USB flash drive, so with the USB drive attached I ran "sudo blkid" and noted the /dev/sdXY of the flash drive.

Before I could proceed I created 2 mount points: /mnt/dis and /mnt/prv and of course used sudo to execute the commands.

Then to decrypt the drive I ran the following command:
sudo dislocker -v -V /dev/sdd1 -u /mnt/dis

Running the command as it is above will prompt you for your account password first if you have not recently run sudo, and then prompt you for the passphrase used to encrypt the disk. This is especially useful if you do not wish to display your encryption passphrase on the screen.

Finally I ran:
sudo mount /mnt/dis/dislocker-file /mnt/prv

Mounting the drive this way gives me write access to the drive. I understand not wanting to have to write access if the bitlocker encrypted drive you are mounting is your Windows system drive, however this is a USB flash drive on which I store sensitive information which I would like to be able to edit regardless of what system I am using, as long as I am the one editing it. Even after decrypting the drive, the files themselves have another layer of security in that each individual file requires its own passphrase to open it.

I hope this helps anyone else with a slightly different use case, as I found this article helpful and it came up high in my search results, I figured I would leave these notes here rather than create my own post on using bitlocker in Linux. Goog luck!

StrangeAttractor said...

I would like to correct an error in the command in my previous post...

I initially wrote that I executed:
sudo dislocker -v -V /dev/sdd1 -u /mnt/dis

That command above is incorrect!

However, I executed the command much like the one given by the author of this great article.

The actual command that I used to initially decrypt the bitlocker encrypted USB flash drive was:

sudo dislocker -v -V /dev/sdd1 -u -- /mnt/dis

Notice the double dashes between the -u and the /mnt/dis. I like doing it this way, instead of the way presented in the article, as I stated in my previous comment, is that this prevents my passphrase from being displayed on the monitor.

Also, on the final command to mount the dislocker-file to another mount point for actual access, I have sometimes passed the "mount -o loop,ro" rather than just a simple "mount" command depending on my needs, desires, and laziness at the time.

PS - thanks again to the authors of this blog, it has proven quite useful.

Sai said...

Hi, I get the following error.

ntfs_mst_post_read_fixup_warn: magic: 0x22a68b6d size: 1024 usa_ofs: 1783 usa_count: 62137: Invalid argument
ntfs_mst_post_read_fixup_warn: magic: 0xf7526584 size: 1024 usa_ofs: 46833 usa_count: 64610: Invalid argument
ntfs_mst_post_read_fixup_warn: magic: 0xbb74b04c size: 1024 usa_ofs: 56832 usa_count: 56728: Invalid argument
ntfs_mst_post_read_fixup_warn: magic: 0x9404613d size: 1024 usa_ofs: 58637 usa_count: 37365: Invalid argument
$MFTMirr error: Invalid mft record for '$MFT'.
Failed to mount '/dev/loop0': Input/output error
NTFS is either inconsistent, or there is a hardware fault, or it's a
SoftRAID/FakeRAID hardware. In the first case run chkdsk /f on Windows
then reboot into Windows twice. The usage of the /f parameter is very
important! If the device is a SoftRAID/FakeRAID then first activate
it and mount a different device under the /dev/mapper/ directory, (e.g.
/dev/mapper/nvidia_eahaabcc1). Please see the 'dmraid' documentation
for more details.

Can anybody help?