By using Dislocker we can decrypt a Bitlocker encrypted partition on Linux and macOS. In this post we’ll be doing this on macOS.
1. Installing Dislocker and FUSE for macOS
Start by downloading Dislocker and extract the package. Then we can install Dislocker and FUSE for mac OS (which is a needed for dislocker) using Homebrew.
Enter the following commands in a terminal:
brew update
brew install Caskroom/cask/osxfuse
cd /Downloads/dislocker-master/src
brew install dislocker.rb
When I ran the last command to install dislocker this error showed up:
Last 15 lines from /Library/Logs/Homebrew/dislocker/02.make:
In file included from /tmp/dislocker-20171015-14904-gzgqvz/dislocker-0.7/src/config.c:30:
In file included from /tmp/dislocker-20171015-14904-gzgqvz/dislocker-0.7/include/dislocker/dislocker.priv.h:31:
/tmp/dislocker-20171015-14904-gzgqvz/dislocker-0.7/include/dislocker/metadata/metadata.priv.h:296:20: error: unknown type name 'VALUE'
void Init_metadata(VALUE rb_mDislocker);
^
make[2]: *** [src/CMakeFiles/dislocker.dir/dislocker.c.o] Error 1
make[2]: *** [src/CMakeFiles/dislocker_bundle.dir/dislocker.c.o] Error 1
13 errors generated.
...
make[2]: *** [src/CMakeFiles/dislocker.dir/config.c.o] Error 1
make[1]: *** [src/CMakeFiles/dislocker.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....
make[1]: *** [src/CMakeFiles/dislocker_bundle.dir/all] Error 2
make: *** [all] Error 2
By unlinking ruby as explained by jricks92 on Github the install went through with no errors:
brew unlink ruby
brew install dislocker.rb
brew link ruby
2. Drive identifier
Now we need to know the identifier of the bitlocker encrypted disk. In the terminal we’ll run the command diskutil list
(on macOS).
$ diskutil list
/dev/disk2 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *500.1 GB disk2
1: Microsoft Basic Data 500.1 GB disk2s1
The identifier i’m interested in here is called disk2s1
3. Encrypt with dislocker
First we need to create a folder where a virtual NTFS partition called dislocker-file will be created. I’ll call mine externalhdd and i’ll create it in the mnt folder.
sudo mkdir /mnt/externalhdd
Now it’s time to use Dislocker to decrypt the disk.
sudo dislocker -V /dev/disk2s1 -u -- /mnt/externalhdd/
-V /dev/disk2s1
tells dislocker what disk to decrypt.
-u
tells dislockers to ask the user for the password the disk is encrypted with. -- /mnt/externalhdd
passes the path to the folder we created to store the virtual ntfs-partition.
4. Create a block device
Now we need to create a block device before mounting the disk.
$ sudo hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount /mnt/externalhdd/dislocker-file
....
/dev/disk3
hdiutil
- manipulate disk images (attach, verify, create, etc)
attach
- Attach a disk image as a device
imagekey
- specify a key/value pair for the disk image recognition system. I can’t find information on what the diskimageclass=creatdiskimage means in the man pages of hdiutil.
nomount
- indicate whether filesystems in the image should be mounted or not.
After running this command i got the line /dev/disk3 printed in the console. Now we’ll use that to mount the drive.
5. Mount
Start by creating a folder where the drive will be mounted
sudo mkdir /Volumes/ExternalHDD
Then we run this command to mount it (only readable):
sudo mount -t ntfs /dev/disk3 /Volumes/ExternalHDD/
And by now, if you haven’t encountered any errors, you should see the disk in Finder.
Documentation
There are more to dislocker than this post shows, take a look at the man pages to get more info:
man dislocker