How to decrypt bitlocker partition with dislocker on GNU/Linux

Last updated: Jan 29, 2023

On my brand new computer, I have a dual boot with Windows and a Kali Linux. For security reason, I used bitlocker to encrypt my Windows partition. As it is encrypted, I needed a way to be able to read this partition from my Kali Linux, for that I used dislocker tool.

As we will see here, it's quite easy to use.

Install

The installation is Kali Linux oriented but it can easily be done on other distributions.

Install dislocker :

$ sudo apt update && sudo apt install dislocker

Identify the Windows partition

Once installed, we need to identify our Windows encrypted partition. To do this, we will use the fdisk tool.

List partitions with fdisk :

$ sudo fdisk -l
Disk /dev/nvme0n1: 931,51 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: Samsung SSD 980 1TB
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 16384 bytes / 131072 bytes
Disklabel type: gpt
Disk identifier: 5A1C0C90-61D9-1BBV-96C1-7ED8C4EI8BA5

Device              Start        End    Sectors   Size Type
/dev/nvme0n1p1       2048     206847     204800   100M EFI System
/dev/nvme0n1p2     206848     239615      32768    16M Microsoft reserved
/dev/nvme0n1p3     239616 1022901873 1022662258 487,6G Microsoft basic data
/dev/nvme0n1p4 1022902272 1024237567    1335296   652M Windows recovery environment
/dev/nvme0n1p5 1024239616 1025216511     976896   477M Linux filesystem
/dev/nvme0n1p6 1025216512 1953523711  928307200 442,7G Linux filesystem

Microsoft basic data with a size of 487,6G, I think it's a pretty good candidate. 🙂

Decrypt and Mount the partition

Depending on your hardware, we will decrypt the partition with pin code or with the recovery password. Indeed in case you have (like me) a TPM compatible hardware, the recovery password will be necessary.

In fact, if the TPM is enabled, you will get the following message if you try to decrypt with the PIN code :

[CRITICAL] None of the provided decryption mean is decrypting the keys. Abort.
[CRITICAL] Unable to grab VMK or FVEK. Abort.

Preparation

Create two mount points for dislocker :

$ sudo mkdir /media/bitlocker && sudo chown user:user /media/bitlocker $ sudo mkdir /media/bitlockerloop && sudo chown user:user /media/bitlockerloop

Decrypt

Decrypt with the recovery key (if TPM is enabled) :

$ sudo dislocker -V /dev/nvme0n1p3 -p181938-009977-030118-024662-878971-217634-366661-422744 -- /media/bitlocker

Decrypt with the PIN code (if TPM is disabled) :

$ sudo dislocker -V /dev/nvme0n1p3 -u123456 -- /media/bitlocker

Mount the decrypted partition

Mount the decrypted device :

$ sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockerloop

Check you have access to the Windows partition :

$ ls -l /media/bitlockerloop

Computing

Music

Misc