rss logo

How to Decrypt and Mount a BitLocker Partition on GNU/Linux Using Dislocker

Linux logo with bitlocker

On my brand new computer, I have a dual boot with Windows and Kali Linux. For security reasons, I used bitlocker to encrypt my Windows partition. Since it's encrypted, I needed a way to read this partition from my Kali Linux, so I used dislocker tool.

As we will see here, it's pretty easy to use.

Installation

Installation is oriented towards Kali Linux, but can easily be performed on other distributions.

  • Install dislocker:
$ sudo apt update && sudo apt install dislocker

Identify the Windows partition

Once installation is complete, we need to identify our encrypted Windows partition. To do this, we'll use the fdisk tool.

  • List partitions with fdisk:
$ sudo fdisk -l
Disk /dev/nvme0n1: 931,51 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: Samsung SSD 980 1TB
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 16384 bytes / 131072 bytes
Disklabel type: gpt
Disk identifier: 5A1C0C90-61D9-1BBV-96C1-7ED8C4EI8BA5

Device              Start        End    Sectors   Size Type
/dev/nvme0n1p1       2048     206847     204800   100M EFI System
/dev/nvme0n1p2     206848     239615      32768    16M Microsoft reserved
/dev/nvme0n1p3     239616 1022901873 1022662258 487,6G Microsoft basic data
/dev/nvme0n1p4 1022902272 1024237567    1335296   652M Windows recovery environment
/dev/nvme0n1p5 1024239616 1025216511     976896   477M Linux filesystem
/dev/nvme0n1p6 1025216512 1953523711  928307200 442,7G Linux filesystem

Microsoft basic data with a size of 487,6G, I think we have a good candidate. 🙂

Decrypt and Mount the partition

Depending on your hardware, we'll either decrypt the partition with a pin code or with the recovery password. If (like me) you have TPM-compatible hardware, you'll need the recovery password.

  • In fact, if TPM is enabled, you'll get the following message if you try to decrypt with the PIN code only:
[CRITICAL] None of the provided decryption mean is decrypting the keys. Abort.
[CRITICAL] Unable to grab VMK or FVEK. Abort.

Preparation

  • Create two mounting points for the dislocker:
$ sudo mkdir /media/bitlocker && sudo chown user:user /media/bitlocker
$ sudo mkdir /media/bitlockerloop && sudo chown user:user /media/bitlockerloop

Decrypt

  • Decrypt with the recovery key (if TPM is enabled):
$ sudo dislocker -V /dev/nvme0n1p3 -p181938-009977-030118-024662-878971-217634-366661-422744 -- /media/bitlocker
  • Decrypt with PIN code (if TPM is disabled):
$ sudo dislocker -V /dev/nvme0n1p3 -u123456 -- /media/bitlocker

Mount the decrypted partition

  • Mount the decrypted device:
$ sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockerloop
  • Check that you have access to the Windows partition:
$ ls -l /media/bitlockerloop

Disable fast startup

To avoid data corruption, when mounting the encrypted partition, and to avoid triggering bitlocker's recovery mode (the phase where you have to enter the recovery key), I recommend disabling the quick start feature in Windows. You can see details on this veracrypt page: https://veracrypt.eu/en/.

  • To do this, you can enter this PowerShell command from an administrator console:
PS > Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power\" -Name "HiberbootEnabled" -Value "0"
System settings for power options with fast startup setting highlighted