cryptsetup supports mapping of BitLocker and BitLocker to Go
encrypted partition using a native Linux kernel API. Header
formatting and BITLK header changes are not supported, cryptsetup
never changes BITLK header on-device.
WARNING: This extension is EXPERIMENTAL.
BITLK extension requires kernel userspace crypto API to be
available (for details see TCRYPT section).
Cryptsetup should recognize all BITLK header variants, except
legacy header used in Windows Vista systems and partially
decrypted BitLocker devices. Activation of legacy devices
encrypted in CBC mode requires at least Linux kernel version 5.3
and for devices using Elephant diffuser kernel 5.6.
The bitlkDump command should work for all recognized BITLK
devices and doesn't require superuser privilege.
For unlocking with the open a password or a recovery passphrase
or a startup key must be provided.
Additionally unlocking using master key is supported. You must
provide BitLocker Full Volume Encryption Key (FVEK) using the
--master-key-file option. The key must be decrypted and without
the header (only 128/256/512 bits of key data depending on used
cipher and mode).
Other unlocking methods (TPM, SmartCard) are not supported.
open --type bitlk <device> <name>
bitlkOpen <device> <name> (old syntax)
Opens the BITLK (a BitLocker-compatible) <device> and sets
up a mapping <name>.
<options> can be [--key-file, --readonly,
--test-passphrase, --allow-discards --master-key-file].
bitlkDump <device>
Dump the header information of a BITLK device.
<options> can be [--dump-master-key --master-key-file].
Please note that cryptsetup does not use any Windows BitLocker
code, please report all problems related to this compatibility
extension to the cryptsetup project.
