How to Decrypt and Mount a BitLocker Partition on GNU/Linux Using Dislocker

Last updated: Nov 6, 2024

On my brand new computer, I have a dual boot with Windows and Kali Linux. For security reasons, I used bitlocker to encrypt my Windows partition. Since it's encrypted, I needed a way to read this partition from my Kali Linux, so I used dislocker tool.

As we will see here, it's pretty easy to use.

Installation

Installation is oriented towards Kali Linux, but can easily be performed on other distributions.

Install dislocker:

$ sudo apt update && sudo apt install dislocker

Identify the Windows partition

Once installation is complete, we need to identify our encrypted Windows partition. To do this, we'll use the fdisk tool.

List partitions with fdisk:

$ sudo fdisk -l
Disk /dev/nvme0n1: 931,51 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: Samsung SSD 980 1TB
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 16384 bytes / 131072 bytes
Disklabel type: gpt
Disk identifier: 5A1C0C90-61D9-1BBV-96C1-7ED8C4EI8BA5

Device              Start        End    Sectors   Size Type
/dev/nvme0n1p1       2048     206847     204800   100M EFI System
/dev/nvme0n1p2     206848     239615      32768    16M Microsoft reserved
/dev/nvme0n1p3     239616 1022901873 1022662258 487,6G Microsoft basic data
/dev/nvme0n1p4 1022902272 1024237567    1335296   652M Windows recovery environment
/dev/nvme0n1p5 1024239616 1025216511     976896   477M Linux filesystem
/dev/nvme0n1p6 1025216512 1953523711  928307200 442,7G Linux filesystem

Microsoft basic data with a size of 487,6G, I think we have a good candidate. 🙂

Decrypt and Mount the partition

Depending on your hardware, we'll either decrypt the partition with a pin code or with the recovery password. If (like me) you have TPM-compatible hardware, you'll need the recovery password.

In fact, if TPM is enabled, you'll get the following message if you try to decrypt with the PIN code only:

[CRITICAL] None of the provided decryption mean is decrypting the keys. Abort.
[CRITICAL] Unable to grab VMK or FVEK. Abort.

Preparation

Create two mounting points for the dislocker:

$ sudo mkdir /media/bitlocker && sudo chown user:user /media/bitlocker $ sudo mkdir /media/bitlockerloop && sudo chown user:user /media/bitlockerloop

Decrypt

Decrypt with the recovery key (if TPM is enabled):

$ sudo dislocker -V /dev/nvme0n1p3 -p181938-009977-030118-024662-878971-217634-366661-422744 -- /media/bitlocker

Decrypt with PIN code (if TPM is disabled):

$ sudo dislocker -V /dev/nvme0n1p3 -u123456 -- /media/bitlocker

Mount the decrypted partition

Mount the decrypted device:

$ sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockerloop

Check that you have access to the Windows partition:

$ ls -l /media/bitlockerloop

Disable fast startup

To avoid data corruption, when mounting the encrypted partition, and to avoid triggering bitlocker's recovery mode (the phase where you have to enter the recovery key), I recommend disabling the quick start feature in Windows. You can see details on this veracrypt page: https://veracrypt.eu/en/Issues%20and%20Limitations.html.

To do this, you can enter this PowerShell command from an administrator console:

PS > Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power\" -Name "HiberbootEnabled" -Value "0"

System settings for power options with fast startup setting highlighted

Computing

Music

Misc