I write about software, app and web development.

RSS feed twitter github linkedin dribbble
Decrypt Bitlocker encrypted partition on Linux and macOS

Decrypt Bitlocker encrypted partition on Linux and macOS

By using Dislocker we can decrypt a Bitlocker encrypted partition on Linux and macOS. In this post we’ll be doing this on macOS.

1. Installing Dislocker and FUSE for macOS

Start by downloading Dislocker and extract the package. Then we can install Dislocker and FUSE for mac OS (which is a needed for dislocker) using Homebrew.

Enter the following commands in a terminal:

brew update
brew install Caskroom/cask/osxfuse
cd /Downloads/dislocker-master/src
brew install dislocker.rb

When I ran the last command to install dislocker this error showed up:

Last 15 lines from /Library/Logs/Homebrew/dislocker/02.make:
In file included from /tmp/dislocker-20171015-14904-gzgqvz/dislocker-0.7/src/config.c:30:
In file included from /tmp/dislocker-20171015-14904-gzgqvz/dislocker-0.7/include/dislocker/dislocker.priv.h:31:
/tmp/dislocker-20171015-14904-gzgqvz/dislocker-0.7/include/dislocker/metadata/metadata.priv.h:296:20: error: unknown type name 'VALUE'
void Init_metadata(VALUE rb_mDislocker);
                   ^
make[2]: *** [src/CMakeFiles/dislocker.dir/dislocker.c.o] Error 1
make[2]: *** [src/CMakeFiles/dislocker_bundle.dir/dislocker.c.o] Error 1
13 errors generated.
...
make[2]: *** [src/CMakeFiles/dislocker.dir/config.c.o] Error 1
make[1]: *** [src/CMakeFiles/dislocker.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....
make[1]: *** [src/CMakeFiles/dislocker_bundle.dir/all] Error 2
make: *** [all] Error 2

By unlinking ruby as explained by jricks92 on Github the install went through with no errors:

 brew unlink ruby
 brew install dislocker.rb
 brew link ruby

2. Drive identifier

Now we need to know the identifier of the bitlocker encrypted disk. In the terminal we’ll run the command diskutil list (on macOS).

$ diskutil list

/dev/disk2 (external, physical):
   #:      TYPE NAME                    SIZE        IDENTIFIER
   0:      GUID_partition_scheme        *500.1 GB   disk2
   1:      Microsoft Basic Data         500.1 GB    disk2s1

The identifier i’m interested in here is called disk2s1

3. Encrypt with dislocker

First we need to create a folder where a virtual NTFS partition called dislocker-file will be created. I’ll call mine externalhdd and i’ll create it in the mnt folder.

sudo mkdir /mnt/externalhdd

Now it’s time to use Dislocker to decrypt the disk.

sudo dislocker -V /dev/disk2s1 -u -- /mnt/externalhdd/

-V /dev/disk2s1 tells dislocker what disk to decrypt.
-u tells dislockers to ask the user for the password the disk is encrypted with. -- /mnt/externalhdd passes the path to the folder we created to store the virtual ntfs-partition.

4. Create a block device

Now we need to create a block device before mounting the disk.

$ sudo hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount /mnt/externalhdd/dislocker-file
....
/dev/disk3

hdiutil - manipulate disk images (attach, verify, create, etc)
attach - Attach a disk image as a device
imagekey - specify a key/value pair for the disk image recognition system. I can’t find information on what the diskimageclass=creatdiskimage means in the man pages of hdiutil.
nomount - indicate whether filesystems in the image should be mounted or not.

After running this command i got the line /dev/disk3 printed in the console. Now we’ll use that to mount the drive.

5. Mount

Start by creating a folder where the drive will be mounted

sudo mkdir /Volumes/ExternalHDD

Then we run this command to mount it (only readable):

sudo mount -t ntfs /dev/disk3 /Volumes/ExternalHDD/

And by now, if you haven’t encountered any errors, you should see the disk in Finder.

Documentation

There are more to dislocker than this post shows, take a look at the man pages to get more info:

man dislocker
I hope you find this post valuable. If you click the ad below I get paid by someone else and can continue to publish posts for free. I would appreciate it very much.