How to access a BitLocker-encrypted drive in Linux?

Question

I have a laptop running Windows 7 Ultimate. I have encrypted my drives using BitLocker. Now I have also installed Lubuntu along with Windows. But my encrypted drives are not visible in Linux. How can I fix this?

Answer 1

You can access the BitLocker partition under Linux using Dislocker, an open-source driver that is using FUSE (or not).

Note: You need the file on a USB key (the one with the .bek extension) or the recovery password.

Answer 2

Thanks to Aorimn, his solution worked for me. I'm fairly unexperienced with Unix, so it cost a few hours to figure it out. I thought I would describe the steps I took while my backup is running :)

My problem was that I could not boot Windows, and I needed a way to access my files on a Bitlocked partition. In order to do this, you need a bitlocker recovery password (8 groups of digits) and the ability to boot your system from USB.

1. Download and install LiLi on an other Windows machine (Linux Live USB Creator)
2. Start LiLi and have it download a lightweight ubuntu image. I chose Xubuntu.
3. Install the image to your USB stick.
4. Boot the problematic machine with the USB stick
5. When you see the ubuntu boot screen, press a key.
6. Under F6, set the following options: nomodeset, acpi=off, noacpi and nolacpi
7. Boot ubuntu.
8. Make a folder /media/windows and /media/mount.
9. Download and extract dislocker
10. sudo apt-get install libfuse-dev libmbedtls-dev
11. change directory to the dislocker/src folder
12. sudo make
13. sudo make install
14. change directory to /usr/bin
15. sudo fdisk -l
16. identify the partition which is bitlocked. Mine was /dev/sda1.
17. sudo dislocker -r -V /dev/sda1 -p315442-000000-000000-000000-000000-000000-000000-000000 -- /media/windows (replace your own bitlocker key and source partition)
18. change dir to /media/windows (use sudo -i if you can't access it)
19. mount -o loop dislocker-file /media/mount
20. You should now see your files in a mounted drive of the file manager.

Backups are fairly slow, but it might save some trouble if you do end up reinstalling windows. Good luck!

Answer 3

CryptSetup has added experimental support for BitLocker as of version 2.3.0 (February 2020), which is available in Ubuntu's repos for 20.10 Groovy onwards, although support will likely improve in later versions.

To open a BitLocker device with a password, use:

sudo cryptsetup open --type=bitlk <device> <name>

or:

sudo cryptsetup bitlkOpen <device> <name>

To open the device with a key file, use:

sudo cryptsetup open --type=bitlk --key-file=/etc/cryptsetup-keys.d/<name>.key <device> <name>

To open the device at boot time, add the following to /etc/crypttab:

<name> PARTUUID=<part_uuid> /etc/cryptsetup-keys.d/<name>.key bitlk

Note:

If a keyfile is not specified, systemd-cryptsetup(8) will automatically try to load it from /etc/cryptsetup-keys.d/name.key and /run/cryptsetup-keys.d/name.key (Source).

So you may replace the path to the key file with - or none.

Possible parameter values:

• device - /dev/sda1
• name - windows
• part_uuid - aaaaaaaa-1111-bbbb-2222-cccccccccccc (find PARTUUID with sudo blkid | grep BitLocker)

Now you can mount the device with the following command:

sudo mount /dev/mapper/windows /path/to/mount/point

Important note:

When setting up BitLocker on a device choose the option that encrypts the whole device (requires more time). The other option uses Encrypt-On-Write conversion model that makes sure that any new disk writes are encrypted as soon as you turn on BitLocker (data that existed on the device before encryption began can still be read and written without encryption) and is not supported by Cryptsetup.

You will get the following error when you try to open the device with Encrypt-On-Write conversion model:

BITLK devices with type 'encrypt-on-write' cannot be activated.

Cryptsetup Manual

Crypttab Manual

Cryptsetup 2.3.0 Release Notes

BitLocker configuration: known issues

Cryptsetup bitlk.c

Answer 4

I just worked out a way to update Kali Linux and install dislocker.

Using Kali Linux 1.0.9a i386 bootable DVD

Edit "/etc/apt/sources.list" and add:

deb http://us.archive.ubuntu.com/ubuntu trusty main universe

Install programs using Terminal:

apt-get update"
apt-get install git libfuse-dev libpolarssl-dev # Continue through update text, allow services to restart if needed
git clone git://github.com/Aorimn/dislocker.git
cd /dislocker/src
make
make install

Find drive Bitlocker volume:

fdisk -l

Make folders in /mnt: tmp, dis.

Run dislocker:

dislocker -v -V /dev/<volume name> -p<Bitlocker key> -- /mnt/tmp

Check if file exists to confirm proper Bitlocker key:

ls /mnt/tmp

Should return dislocker-file if correct.

Mount volume:

mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis

Browse to /mnt/dis for access to files.

Answer 5

I had a similar problem, and just want to share my experience and what I learned in case it helps someone else.

I had a Bitlocker encrypted drive from Windows 10 Pro, 20H2 that was using Encrypt-On-Write. I tried everything from all the useful answers here.

TLDR; as of April 2023, only real Bitlocker can decrypt a drive that uses Encrypt-On-Write.

For reference, my Linux system is Mint 20.3.

I tried dislocker, building it from the latest release tag, and it couldn't decrypt with the recovery key/password.

Then I tried Cryptsetup, building from the latest source as well, it didn't work either. Thanks @denis-savran for your note about Encrypt-On-Write, that got me going in the right direction.

I tried libbde-utils, but just from the Mint 20.3 distro package.

I tried @SrjCoder's suggestion of using a VM. But with VirtualBox on the Linux host, I was not able to see the encrypted drive in the guest Windows system. The unmounted block device that had the encrypted drive was not visible in the VM. I didn't try VMware, and I'm not a VirtualBox expert, so maybe I missed something there.

Finally I installed Windows 10 Pro on a separate machine, and connected the encrypted drive, Windows recognized it as a Bitlocker drive, and I was able to unlock it with the recovery key, and the valuable data was saved! The end.

If you're wondering why I didn't just boot the encrypted drive, it is in a bad state and cannot boot. It blue-screened trying to go back to a restore point. Luckily the data partition was still intact.

Answer 6

BitLocker is a proprietary, closed-source drive encryption system only supported by Windows. You'll have to remove BitLocker encryption if you want to access your Windows partitions from Linux.

See What is the difference between disabling BitLocker Drive Encryption and decrypting the volume? for instructions on doing so. It would be advisable to have a backup of your data completed first.

Once the drive is decrypted, you can use TrueCrypt instead; reading a System Encryption volume under Linux isn't supported by default, but someone has figured out a work-around. See How to use TrueCrypt®-encrypted Windows system drives on Linux.

At the very least, review the TrueCrypt documentation and more specifically, the list of supported OSes.

Yet another option is PGP Whole Disk Encryption. See PGP Whole Disk Encryption for Dual Boot Linux and Windows XP.

Answer 7

Please note that libpolarssl-dev can't be used, it has been supersede with libmbedtls-dev so use this instead:

sudo apt-get install libmbedtls-dev

Note: by the way, it was a success using live boot. I am able to read and write. Just follow above steps.

Answer 8

Besides the other answers, there is a package libbde-utils, providing the command bdemount.

Usage, like:

# bdemount -p Password /dev/sda1
# bdemount -r RecoveryPassword /dev/sda1

see the Ubuntu manual

Answer 9

If anyone here is not understanding this I have one LongCut Techinique.

1. Download Vmware (can also install VirtualBox which is free) and Windows 10/11 ISO (can also install Windows 7/8)
2. Then in VMware create a new Virtual Machine with the ISO.
3. After Windows installation please connect your drive to this VM via VM tab in there.
4. Tada! Enter your BitLocker password and access the files. This Windows can also be used for testing any other things on Windows.

Answer 10

I don't know since when nemo supports it, but I installed Ubuntu on a second SSD in my school laptop and could just see the BitLocker'd drive in the "Devices" part of nemo's sidebar as "253 GB encrypted drive". When I clicked it it asked for my BitLocker key and for how long to remember it (not at all, until logout, permanent). When I entered the key it was successfully mounted as "Windows" with the path /media/<username>/Windows.