MAN page from RedHat EL 5 fuse-dislocker-0.2-1.el5.rf.x86_64.rpm

DISLOCKER

Section: DISLOCKER (1)
Updated: 2011-09-07
Index

NAME

Dislocker - Read BitLocker encrypted volumes under Linux

SYNOPSIS

dislocker [-h] [-V VOLUME{-p[RECOVERY_PASSWORD] | -f BEK_FILE | -c} -F[N]] [-- ARGS...]

DESCRIPTION

Given a decryption mean, dislocker is used to read BitLocker encrypted volumes.

Options are described below:

-c, --clearkey: decrypt volume using a clear key which is search on the volume
-f, --bekfile BEK_FILE: decrypt volume using the bek file (present on a USB key)
-F, --force-block[N]: force use of metadata block number N(1, 2 or 3), the first by default
-h: print the help and exit
-l, --logfile LOG_FILE: put messages into this file (stdout by default)
-o, --offset OFFSET: BitLocker partition offset (default is 0)
-p, --recovery-password[RECOVERY_PASSWORD]: decrypt volume using the recovery password method. If no password is provided, it will be asked afterward; this has the advantage that the program will validate each block one by one, on the fly, as you type it
-v, --verbosity: increase verbosity (no output by default)
-V, --volume VOLUME: volume to get metadata and encrypted keys from
--: mark the end of program's options and the beginning of FUSE's ones (useful if you want to pass something like -d to FUSE)

ARGSare any arguments you want to pass to FUSE. Note that you need to pass at least the mount-point.

A second mode is available besides FUSE: don't use FUSE, decrypt the entire volume into a new file. After using this mode, just mount the resulting file normally afterward. This process may take a very long time, depending on the initial volume size.

NOTES

There are two decryption modes available: FILE or FUSE. One of them is chosen during the compilation time.

In FILE mode, the BitLocker volume is decrypted into a file. This mode require a huge amount of time for a huge volume, but the access of the decrypted volume afterward will be faster than with the FUSE mode as the decrypted file can be assimilated as any NTFS volume.

In FUSE mode, the NTFS "file" is decrypted according to the data asked for by a user. So each request for a piece of data will take the time to decrypt these data. There is no impact on the final user if only "small" piece of data are asked.

EXAMPLES

These are exemples you can run directly. The programs suffixes are here to indicate in which mode dislocker is running, you may have to remove them yourself.First, you may want to copy the BitLocker volume:

% dd if=/dev/sda2 of=encrypted.bitlocker: This will copy the entire volume located into /dev/sda2to encrypted.bitlocker

Then dislock it:

% dislocker-file -V encrypted.bitlocker -p563200-557084-108284-218900-019151-415437-694144-239976 -- decrypted.ntfs: This will decrypt encrypted.bitlockerinto decrypted.ntfsusing the recovery password method.
% dislocker-fuse -V encrypted.bitlocker -f /path/to/usb/file.BEK -- /mnt/ntfs: This will create a file into /mnt/ntfsnamed dislocker-file if the encrypted volume has a clear key enabled.
To mount partitions once decrypted, use this sort of line on Linux:: % mount -o loop ntfs/dislocker-file /mnt
On MacOSX, you first need to create the block device:: % hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount ntfs/dislocker-file
Then mount it on a file into /Volumes for instance:: % mkdir /Volumes/blah && mount -t ntfs /dev/disk1 /Volumes/blah

AUTHOR

This tool is developped by Romain Coltel on behalf of HSC (http://www.hsc.fr/)

Feel free to send bugs report to <Romain __DOT__ Coltel __AT__ hsc __DOT__ fr>

This document was created byman2html,using the manual pages.