how can I unlock a bitlocker encrypted volume using linux

Question

I have a windows 10 system which has its c:\ drive protected using bitlocker. Recently during a windows upgrade, the upgrade failed and now whenever I attempt to boot into the laptop I get into a recovery reboot loop. I can reimage the laptop, but I need to recover some files from it first.

I have a live ubuntu 20.4 flash drive with both dislocker and libbde installed on it. I compiled dislocker from the git repository as of today, and I compiled libbde from the 20200724 release.

When I run dislocker as:

root# dislocker -l dis.log -v -V /dev/nvme0n1p3 -p -- /mnt/dis

then put in the recovery key, I get a message saying the MACs do not match and dislocker aborts.

When I try bdeinfo /dev/nvme0n1p3

bdeinfo says it cannot open the source volume because of unsupported FVE metadata entry version.

Is there anything else I can do to decrypt the volume and recover my files?

Answer 1

The usual way to use Bitlocker on Linux after dislocker is installed is as follows.

1. Create two folders:

    sudo mkdir -p /media/bitlocker
    sudo mkdir -p /media/bitlockermount
   

2. Identify the partition that's encrypted using BitLocker using fdisk or lsblk, but it's easier using GParted which clearly indicates "bitlocker".

3. Decrypt and mount the BitLocker-encrypted filesystem:

    sudo dislocker <partition> -u<password> -- /media/bitlocker
    sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount
   

   For NTFS the second command is:

    sudo mount -t ntfs-3g -o loop /media/bitlocker/dislocker-file /media/bitlockermount
   

   For exFAT (requires the exfat-fuse package):

    sudo mount -t exFAT-fuse -o loop /media/bitlocker/dislocker-file /media/bitlockermount
   

4. To auto-mount the BitLocker partition add the following in /etc/fstab:

    <partition> /media/bitlocker fuse.dislocker user-password=<password>,nofail 0 0
    /media/bitlocker/dislocker-file /media/bitlockermount auto nofail 0 0
   

For more information, see the article How To Mount BitLocker-Encrypted Windows Partitions On Linux.

Answer 2

Not sure if this will solve your issue, but: there are multiple copies of the Bitlocker metdata spread across the volume (one at the start, the others - usually two more - spaced roughly evenly). You can use a hex editor to view these regions, and in particular to tell where the other two are. The headers of dislocker describe the data format, although imperfectly (some unknown fields).

You can then try editing the fields (after making backups!!!) if any of the values look out of line, or especially if there's differences between the locations. Using dd might be the easiest way to overwrite one section with the content of another, though be aware that its syntax and usage is a bit archaic (and back up the overwritten sections!!).

You can also run dislocker under a debugger, which will allow you to examine exactly where the error occurs. It's been a few years since I looked at the dislocker source but it was pretty readable back then, so it shouldn't be too hard to follow. Bear in mind that this probably won't solve the issue directly, just tell you where the problem is so you don't have to do it by looking at a hex dump and manually cross-referencing the data structures. It's possible you could tell dislocker to ignore a corrupted metadata section or similar, though, without needing to hand-edit anything.