BitLocker on Linux with Cryptsetup

I decided to try mounting my laptop's Windows 10 partition with the new experimental BitLocker support in Cryptsetup, but it failed with the following error:

$ blkid /dev/nvme0n1p3
/dev/nvme0n1p3: TYPE="BitLocker" PARTLABEL="Basic data partition" PARTUUID="<removed>"

$ ./cryptsetup open --debug --readonly --type bitlk /dev/nvme0n1p3 windows 
# cryptsetup 2.3.0-git processing "/home/jbit/src/cryptsetup-build/.libs/cryptsetup open --debug --readonly --type bitlk /dev/nvme0n1p3 windows"
# Reading BitLocker FVE metadata of size 112 on device /dev/nvme0n1p3, offset 101765120.
# Reading BitLocker FVE metadata entries of size 1057 on device /dev/nvme0n1p3, offset 101765232.
# Unknown metadata entry value '2' found when parsing VMK.
# Unknown metadata entry value '6' found when parsing VMK.
Unexpected metadata entry found when parsing VMK.
Device /dev/nvme0n1p3 is not a valid BITLK device.
Command failed with code -1 (wrong or missing parameters).

It looks like cryptsetup tried to open the BitLocker partition, but encountered some unknown metadata. My laptop runs up-to-date Windows 10, so maybe Microsoft extended the format recently?

After digging around the cryptsetup codebase I found out that key_entry_value being set to 2 means BITLK_ENTRY_VALUE_STRING. This suggests the unknown metadata is a string, so I dumped out the values and found:

Metadata string TPM Protection for a BITLK_PROTECTION_TPM VMK entry.
Metadata string DiskPassword for a BITLK_PROTECTION_RECOVERY_PASSPHRASE VMK entry.

So it seems the unknown metadata is just a string identifying each individual key slot! This could be an easy to fix! I dug around the Windows documentation to confirm my suspicions and found that WMI exposes a "friendly name" for each key protector, so I wrote a little PowerShell script to dump it out.

foreach ($volume in Get-WmiObject -namespace Root\cimv2\security\MicrosoftVolumeEncryption -classname Win32_EncryptableVolume -filter "DriveLetter='C:'") {
    Write-Output "Drive $($volume.DriveLetter)"
    Write-Output "  PersistentVolumeID=$($volume.PersistentVolumeID)"
    Write-Output "  Version=$($volume.GetVersion().Version)"
    Write-Output "  EncryptionMethod=$($volume.GetEncryptionMethod().EncryptionMethod)"
    Write-Output "  IdentificationField=$($volume.GetIdentificationField().IdentificationField)"
    Write-Output "  Protectors:"    foreach ($protector in $volume.GetKeyProtectors("0").volumekeyprotectorID) {
        Write-Output "    $protector Type=$($volume.GetKeyProtectorType($protector).KeyProtectorType) FriendlyName=$($volume.GetKeyProtectorFriendlyName($protector).FriendlyName)"
PS C:\Users\jbit> .\dump-bitlk.ps1
    Drive C:
        {<removed>} Type=1 FriendlyName=TPM Protection
        {<removed>} Type=3 FriendlyName=DiskPassword

The FriendlyNames from WMI match the metadata strings exactly, so I'm quite confident the unknown metadata is indeed just a (friendly) name field! And after modifying the cryptsetup source to understand these metadata strings, I can now open my Windows partition!

$ cryptsetup open --type bitlk /dev/nvme0n1p3 windows 
Enter passphrase for /dev/nvme0n1p3: <removed>
$ blkid /dev/mapper/windows 
/dev/mapper/windows: LABEL="Windows10" UUID="<removed>" TYPE="ntfs"
$ mount /dev/mapper/windows /mnt
$ file /mnt/Windows/notepad.exe
notepad.exe: PE32+ executable (GUI) x86-64, for MS Windows

The modification is now in cryptsetup (as of merge request !77)

Update: EXPERIMENTAL BitLocker support (including the above modification) is in Cryptsetup v2.3.0