dislocker: decrypt BitLocker encrypted volumes

diskdislocker is a tool to decrypt Microsoft’s BitLocker encrypted volumes from Linux or OSX. dislocker uses a fuse based mechanism to decrypt the volume and mount it so that the user can access (read or write) the files within the volume. Note that this is not a brute force mechanism or hack; the user still needs to provide a valid BEK file (startup key) or numerical key or FVEK (Full Volume Encryption Key) or recovery password or user password for the decryption.

dislocker requires the PolarSSL library to work. It is not available as a package yet. This article explains how to compile and install dislocker from source on Ubuntu.

Installation

Run the following commands on Ubuntu 14.04:

$ sudo apt-get install libpolarssl5 libpolarssl-dev libpolarssl-runtime libfuse-dev

Or, on Ubuntu 16.04:

$ sudo apt-get install libmbedcrypto0 libmbedtls-dev libfuse-dev

Compile and install:

$ git clone https://github.com/Aorimn/dislocker.git
$ cd dislocker
$ cmake .
$ make
$ sudo make install

Usage

dislocker provides the following binaries:

dislocker-bek for disecting a .bek file and printing information about it
dislocker-metadata for printing information about a BitLocker-encrypted volume
dislocker-file for decrypting a BitLocker encrypted volume into a flat file formatted as an NTFS volume you can mount
dislocker-fuse called internally by the dislocker command. Dynamically decrypts a BitLocker encrypted volume using FUSE

Switches and options:

Usage: dislocker [-hqrsv] [-l LOG_FILE] [-o OFFSET] [-V VOLUME DECRYPTMETHOD -F[N]] [-- ARGS...]
with DECRYPTMETHOD = -p[RECOVERY_PASSWORD]|-f BEK_FILE|-u[USER_PASSWORD]|-k FVEK_FILE|-c

Options:
-c, --clearkey decrypt volume using a clear key (default)
-f, --bekfile BEKFILE
      decrypt volume using the bek file (on USB key)
-F, --force-block N force use of metadata block number N (1, 2 or 3)
-h, --help print this help and exit
-k, --fvek FVEK_FILE decrypt volume using the FVEK directly
-l, --logfile LOG_FILE
      put messages into this file (stdout by default)
-o, --offset OFFSET BitLocker partition offset (default is 0)
-p, --recovery-password[RECOVERY_PASSWORD]
      decrypt volume using the recovery password method
-q, --quiet do NOT display anything
-r, --readonly do not allow to write on the BitLocker volume
-s, --stateok do not check the volume's state, assume it's ok to mount it
-u, --user-password decrypt volume using the user password method
-v, --verbosity increase verbosity (CRITICAL errors are displayed by default)
-V, --volume VOLUME volume to get metadata and keys from

-- end of program options, beginning of FUSE's ones

ARGS are any arguments you want to pass to FUSE. You need to pass at least the mount-point.

On GitHub: dislocker

Similar software

10 thoughts on “dislocker: decrypt BitLocker encrypted volumes”

  1. Does this work for both versions of bitlocker, the older, win 7 version using elephant diffuser, and the newer versions without elephant diffuser?

  2. I am new to linux and need help with this. I followed you step to install dislocker but don’t know whether it’s install or not. wondering how to use it.

    1. Run the dislocker command from the terminal and if it’s installed you’ll know. Otherwise you’ll get a “Command not found” or “Unknown command” type error.

  3. I am using the latest version of Ubuntu, the installation works fine until the libpolarssl-dev part. When I try to sudo apt-get install it, it says that it can’t locate the package. I googled and found out that Polarssl doesn’t go by the same name anymore. What do I do ?

Leave a Reply

Your email address will not be published. Required fields are marked *