dislocker in qubes / bitlocker w/ windows HVM
mil...@gmail.com
It's possible this issue has nothing to do with qubes and I am talking to dislocker as well, but I didn't find anything about it in the search here, so...
I am using qubes 3.2 and need to access a Windoh's-10-bitlocker-encrypted external hard drive.
SOB story so you know why I must do such a silly thing:
My windows 10 laptop was locked with syskey configured to read a USB-drive as A:, and also encrypted with bitlocker. That USB drive was stolen (thankfully nothing else important on it) but now my windows laptop is inaccessible, and to even be able to wipe/restore it I need the bitlocker recovery key. I have the recovery key for the external hard drive and within it is the recovery key for the laptop.
I had (or thought I had) the recovery key written down but the key is not working which has me somewhat concerned the one in the external won't either but I have to try.
My current usable machine is Qubes-only. I see three options:
1) use dislocker if possible to decrypt the external hard drive and get my data that way
2) set up a windows 10 HVM and use bitlocker from it to open up the external
3) Just make a new usb windows10 recovery drive and wipe that way (would rather not)
link to dislocker:
https://github.com/Aorimn/dislocker
Currently I am trying option 1 but I think dislocker is having trouble with the Qubes filesystem. I am able to create the dislocker-file.ntfs image of the drive with minimal fuss.
(Note: external drive is larger capacity than onboard, so I cannot image the whole drive onto disk, must use the "fuse" method)
However, when I try to mount it, I have to use the -T option or it complains about fstab not having the mount point and if I use the -T option it says that:
/mnt/dislocker-file.ntfs: failed to parse
and I'm dead in the water. It also seems to keep the created file active since during an earlier attempt I created a file with no extension and was unable to rename it as it was in-use.
So, I am concerned that if I delete it I'm going to wipe the external drive because of the way dislocker works...
As far as I can tell, I am following the dislocker instructions precisely. I am also performing all the operations in my sys-usb VM which has been tested and works fine otherwise.
Is it possible that I need to do some of this in dom0?
Any other reason I would be running into this fail?
DISLOCKER LOG:
sudo dislocker -vvv -l dislocker.txt -r -V /dev/sda1 -p######-######-######-######-######-######-######-###### -- /mnt/dislocker-file.ntfs
Mon Jul 17 20:04:22 2017 [INFO] dislocker by Romain Coltel, v0.5.1 (compiled for Linux/x86_64)
Mon Jul 17 20:04:22 2017 [INFO] Volume GUID (INFORMATION OFFSET) supported
Mon Jul 17 20:04:22 2017 [INFO] BitLocker metadata found and parsed.
Mon Jul 17 20:04:22 2017 [INFO] Stretching the recovery password, it could take some time...
Mon Jul 17 20:04:23 2017 [INFO] Stretching of the recovery password is now ok!
Mon Jul 17 20:04:23 2017 [INFO] Used recovery password decryption method
Mon Jul 17 20:04:23 2017 [INFO] Found volume's size: 0xe8e0da7e00 (1000204828160) bytes
Mon Jul 17 20:04:23 2017 [INFO] Running FUSE with these arguments:
Mon Jul 17 20:04:23 2017 [INFO] `--> 'dislocker'
Mon Jul 17 20:04:23 2017 [INFO] `--> '/mnt/dislocker-file.ntfs'
cooloutac
I would do option 2.