1DISLOCKER-FUSE(1) DISLOCKER-FUSE DISLOCKER-FUSE(1)
2
6 Dislocker fuse - Read/write BitLocker encrypted volumes under Linux,
7 OSX and FreeBSD.
8
10 dislocker-fuse [-hqrsv] [-l LOG_FILE] [-O OFFSET] [-V VOLUME DECRYPT‐
11 METHOD -F[N]] [-- ARGS...]
12 Where DECRYPTMETHOD = {-p[RECOVERY_PASSWORD] | -f BEK_FILE |
14 -u[USER_PASSWORD] | -k FVEK_FILE | -c}
15
17 Given a decryption mean, the program is used to read or write BitLocker
18 encrypted volumes. Technically, the program will create a virtual NTFS
19 partition that you can mount as any other NTFS partition.
20 The virtual partition is linked to the underlying BitLocker volume, so
22 any write to this volume is put on the BitLocker volume as well. How‐
23 ever, you can use dd(1) to get rid of this limitation -- if it's a lim‐
24 itation for you. An example is provided in the EXAMPLES section of this
25 man page.
26
28 Program's options are described below:
29 -c, --clearkey
31 decrypt volume using a clear key which is searched on the volume
32 (default)
33 -f, --bekfile BEK_FILE
35 decrypt volume using the bek file (present on a USB key)
36 -F, --force-block=[N]
38 force use of metadata block number N (1, 2 or 3). Without N,
39 the first block is forced. Without this option, the program
40 will try each block until a valid one is found
41 -h print the help and exit
43 -k, --fvek FVEK_FILE
45 decrypt volume using the FVEK directly. See the FVEK FILE sec‐
46 tion below to understand what is to be put into this FVEK_FILE
47 -l, --logfile LOG_FILE
49 put messages into this file (stdout by default)
50 -O, --offset OFFSET
52 BitLocker partition offset, in bytes, in base 10 (default is 0).
53 Protip: in your shell, you probably can pass -O $((0xdeadbeef))
54 if you have a 16-based number and are too lazy to convert it in
55 another way.
56 -p, --recovery-password=[RECOVERY_PASSWORD]
58 decrypt volume using the recovery password method. If no recov‐
59 ery-password is provided, it will be asked afterward; this has
60 the advantage that the program will validate each block one by
61 one, on the fly, as you type it and not to leak the password on
62 the commandline
63 -q, --quiet
65 do NOT display any information. This option has priority on any
66 previous `-v'. One probably wants to check the return value of
67 the program when using this option
68 -r, --readonly
70 do not allow to write on the BitLocker volume (read only mode)
71 -s, --stateok
73 do not check the volume's state, assume it's ok to mount it. Do
74 not use this if you don't know what you're doing
75 -u, --user-password=[USER_PASSWORD]
77 decrypt the volume using the user password method. If no user-
78 password is provided, it will be asked afterward; this has the
79 advantage not to leak the password on the commandline
80 -v, --verbosity
82 increase verbosity (CRITICAL level by default), see also `-q'
83 -V, --volume VOLUME
85 volume to get metadata and encrypted keys from
86 -- mark the end of program's options and the beginning of FUSE's
88 ones (useful if you want to pass something like -d to FUSE)
89 ARGS are any arguments you want to pass to FUSE. Note that you need to
91 pass at least the mount-point.
92
94 The FVEK file option expects a specific format from the file. The file
95 is split into two major parts:
96 - 2 bytes describing the encryption in use, from 0x8000 to
97 0x8003 for AES 128 or 256 bits, with or without diffuser.
98 - 64 bytes (512 bits) which are the FVEK as in the FVEK key pro‐
100 tector once decrypted.
101 The file is therefore 66 bytes long, not more nor less. Note that you
103 may have to deal with endianness.
104
106 These are examples you can run directly. First, you may want to copy
107 the BitLocker volume:
108 % dd if=/dev/sda2 of=encrypted.bitlocker
110 This will copy the entire volume located into /dev/sda2 to
112 encrypted.bitlocker. You're not forced to do this step, but
113 this will ensure no write whatsoever is performed on the Bit‐
114 Locker volume.
115 Then dislock it:
117 % dislocker -V encrypted.bitlocker -f /path/to/usb/file.BEK --
119 /mnt/ntfs
120 This will create a file into /mnt/ntfs named dislocker-file.
122 To mount partitions once decrypted, use this sort of line:
124 % mount -o loop /mnt/ntfs/dislocker-file /mnt/clear
125 --
127 It seems that you have to unmount the NTFS partition and the dislocker
129 one before halting the system, or you will run into unexpected behav‐
130 iour. In order to do so, you may run these commands (replacing your
131 mount points):
132 % umount /mnt/clear && umount /mnt/ntfs/dislocker-file
133 --
135 Note that these are examples and, as such, may need to be modified. For
137 instance, you may want to change the decryption method used in them.
138
140 This tool is developed by Romain Coltel on behalf of HSC
141 (http://www.hsc.fr/)
142 Feel free to send bugs report to <dislocker __AT__ hsc __DOT__ fr>
144Linux 2011-09-07 DISLOCKER-FUSE(1)