How to recover files with Linux from a Bitlocker drive
Due to hardware failure Windows became very unstable. I wanted to recover the files using a Live Linux USB thumbdrive.
But all my volumes are encrypted with Bitlocker. A quick how-to.
First create a Debian Live USB-stick. Download Debian from the live install images page and use a tool like Rufus to put it on a thumbdrive.
Next boot your system from USB and start the live mode.
In Linux start a terminal and evaluate to root:
$ sudo su
I used Dislocker to access the Bitlocker partitions.
Unfortunately the Dislocker package distributed with Debian
was unable to read my Bitlocker drives, it seems to be the same issue as
issue 185.
So my advice is to download the latest versions of Dislocker from GitHub and compile it.
We need a few packages to do the download and compile:
# apt install gcc cmake make libfuse-dev libmbedtls-dev ruby-dev git
Now we can download, build and install Dislocker:
$ git clone https://github.com/Aorimn/dislocker.git
$ cd disklocker
$ cmake .
$ make
$ make install
Now Dislocker is installed we can list all the partitions we have:
$ fdisk -l
Disk /dev/nvme0n1: 477 GiB, 512110190592 bytes, 1000215216 sectors
Disk model: SAMSUNG MZ***
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: C8AE695B-****-****-****-B5625FF1****
Device Start End Sectors Size Type
/dev/nvme0n1p1 2048 534527 532480 260M EFI System
/dev/nvme0n1p2 534528 567295 32768 16M Microsoft reserved
/dev/nvme0n1p3 567296 525885705 525318410 250.5G Microsoft basic data
/dev/nvme0n1p4 525887488 527124479 1236992 604M Windows recovery environme
/dev/nvme0n1p5 527126528 731926527 204800000 97.7G Microsoft basic data
/dev/nvme0n1p6 731926528 936726527 204800000 97.7G Microsoft basic data
In my case the parition with Windows was /dev/nvme0n1p3 (my C drive).
I stored the Bitlocker recovery keys in Azure AD. In Azure AD under devices you can see the Bitlocker ID
and you can reveal the recovery key. To know wich parition has which Bitlocker ID, I used bdeinfo.
So first I needed to install the package:
$ apt install libbde-utils
The syntax is pretty simple, bdeinfo followed by the device name
$ bdeinfo /dev/nvme0n1p3
BitLocker Drive Encryption information:
Encryption method : AES-XTS 128-bit
Volume identifier : e511****-****-***-***
Creation time : Jun 23, 2019 21:21:09.633576400 UTC
Description : PC15055 Windows 23-6-2019
Number of key protectors : 2
Key protector 0:
Identifier : b8913747-****-****-***
Type : Startup key
Key protector 1:
Identifier : 2a02e2f5-****-****-***
Type : Recovery password
Now I was able too match the Recovery password identifier with the ID from in Azure AD.
Next up was creating two directories for mounting.
$ mkdir /media/bitlocker
$ mkdir /media/bitlockermount
Dislocker will create a pointer in the mounted directory (/media/bitlocker).
That pointer can be mounted in a second directory (/media/bitlockermount) and will contain the filesystem.
First mount Dislocker. Notice the place of the recovery-password and the =-sign after it and take care of the uppercase letter V for the device name!
$ /usr/local/bin/dislocker -r -s --recovery-password=132627-******-******-******-******-******-******-****** -V /dev/nvme0n1p3 -- /media/bitlocker
Done? Check if it worked and go to the directory.
$ cd /media/bitlocker
$ ls
You should see a file named dislocker-file.
Now mount the dislocker-file into the second directory:
$ mount -t ntfs-3g -o loop dislocker-file /media/bitlockermount
Replace ntfs-3g with exFAT-fuse when you are using exFAT.
Now you are ready to copy files from your Bitlocker encrypted disk to somewhere else.