Dalvik Planet: BitLocker on macOS

How to mount and access as read/write BitLocker-encrypted partitions, in macOS 13.1 Ventura, with Apple Silicon (ARM64).

You may need to do these 2 things first to allow the macfuse kext kernel extension to be installed.

1. Start up your computer in macOS Recovery by long pressing the power button once it's powered off -> Options -> Startup Security Utility -> select Macintosh HD -> Security Policy... :

Change the security policy from "Full Security" to "Reduced Security" and tick "Allow user management of kernel extensions from identified developers".
Open the Terminal (will open as root after prompting for admin password) and run "csrutil disable" to disable System Integrity Protection. This step is not required for dislocker.

Go to step 6. to see screenshots.

Now all the following commands are meant to be run as regular user from macOS Terminal (boot to MAC not from Recovery):

2. Install Homebrew from brew.sh if you don't have already using the Terminal.

3. Then install the required casks and bottles:

brew install --cask macfuse
brew install gromgit/fuse/dislocker-mac
brew install gromgit/fuse/ntfs-3g-mac
brew install coreutils #optional

4. Now create a directory where you will mount the dislocker-file and the NTFS filesystem itself. We have to create two folders for each individual BitLocker volume we want to mount, for example Windows OS (C:) and STORAGE (D:):

mkdir -p ~/mnt/dislocker/WINDOWS ~/mnt/WINDOWS
mkdir -p ~/mnt/dislocker/STORAGE ~/mnt/STORAGE

Since macOS has the root volume 'Macintosh HD' as read-only, we are creating the mountpoints inside the user's home.

5. Now connect the BitLocker drive to macOS, in case it isn't already. Note that you may see some macOS toast message with the message "The disk you attached was not readable by this computer.", and the options "Eject", "Ignore" and "Initialise...". Choose Ignore:

You can use from Terminal either "diskutil list" or "sudo gdisk -l /dev/disk4" (brew.sh package) to try to identify the proper drive.

5. Now unlock the encrypted BitLocker volume to a dislocker-file and mount the dislocker-file as NTFS volume to the corresponding folder (replace X with the recovery key):

5.1 As read-only:

sudo dislocker-fuse -r -v -V /dev/disk4s1 -pXXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX -- ~/mnt/dislocker/WINDOWS/
sudo ntfs-3g -o uid=$(id -u),gid=$(id -g),loop,ro,local,allow_other ~/mnt/dislocker/WINDOWS/dislocker-file ~/mnt/WINDOWS/

5.2 As read-write:

sudo dislocker-fuse -v -V /dev/disk4s1 -pXXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX -- ~/mnt/dislocker/WINDOWS/
sudo ntfs-3g -o uid=$(id -u),gid=$(id -g),loop,local,allow_other ~/mnt/dislocker/WINDOWS/dislocker-file ~/mnt/WINDOWS/

With all default system settings, macOS 13.1 does not allow to load third-party kernel extensions (kext). These are all the messages and errors I get when running "sudo dislocker-fuse" on a fresh macOS computer:

6. Reboot to macOS recovery if needed to change the setting as explained in step 1.:

Now all the commands should work perfectly. If you get the error "sudo: ntfs-3g: command not found" reinstall it with brew.

7. Check that the macfuse kernel extension is now loaded (loads automatically when requesting mount). NTFS-3G does not put any kernel extension:

kextstat | grep -v com.apple
Executing: /usr/bin/kmutil showloaded
No variant specified, falling back to release
Index Refs Address            Size       Wired      Name (Version) UUID <Linked Against>
  256    0 0xfffffe0006f24000 0x18b0     0x18b0     io.macfuse.filesystems.macfuse (2113.20) XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX <7 5 4 3 1>

8. Check that both filesystems are mounted properly:

mount
/dev/disk3s3s1 on / (apfs, sealed, local, read-only, journaled)
devfs on /dev (devfs, local, nobrowse)
/dev/disk3s6 on /System/Volumes/VM (apfs, local, noexec, journaled, noatime, nobrowse)
/dev/disk3s4 on /System/Volumes/Preboot (apfs, local, journaled, nobrowse)
/dev/disk3s2 on /System/Volumes/Update (apfs, local, journaled, nobrowse)
/dev/disk1s2 on /System/Volumes/xarts (apfs, local, noexec, journaled, noatime, nobrowse)
/dev/disk1s1 on /System/Volumes/iSCPreboot (apfs, local, journaled, nobrowse)
/dev/disk1s3 on /System/Volumes/Hardware (apfs, local, journaled, nobrowse)
/dev/disk3s1 on /System/Volumes/Data (apfs, local, journaled, nobrowse, protect)
map auto_home on /System/Volumes/Data/home (autofs, automounted, nobrowse)
dislocker-fuse@macfuse0 on /Users/user/mnt/dislocker/WINDOWS (macfuse, synchronous)
/Users/user/mnt/dislocker/WINDOWS/dislocker-file on /Users/user/mnt/WINDOWS (macfuse, local, synchronous)

9. Check that the NTFS mount point belongs to current user and not root (which would be 0 both user and group):

gstat -c %u ~/mnt/WINDOWS/
501
gstat -c %g ~/mnt/WINDOWS/
20

Still "~/mnt/dislocker/*" will belong to root when dislocker-file is mounted, however the NTFS filesystem can be read/write as unprivileged user.

gstat -c %u ~/mnt/dislocker/
501
gstat -c %g ~/mnt/dislocker/
20
sudo gstat -c %u ~/mnt/dislocker/WINDOWS
0
sudo gstat -c %g ~/mnt/dislocker/WINDOWS
0

10. The macFUSE ntfs-3g volume icon should appear on Desktop as well, and you can double click it to open and access it. Also will be listed under the Locations panel at the left:

11. Read and write permissions

Clicking in Finder on the volume name "macFUSE Volume 1 (ntfs-3g)" would equal to browse the filesystem to "~/mnt/WINDOWS/", (or corresponding mount point name). You will be able to access such directory and all of its subfolders from Terminal or third-party shell, like iTerm, with read, write and execute permissions.

However, although Finder will display the volume in Locations, Finder will only display directories (folders) from that mount point down recursively, and won't allow to access or list any file, either for Finder itself or any other desktop application, like "Hex Fiend".

This is because once the dislocker file is mounted to a directory, the mounting directory (WINDOWS) changes its permissions from user owner to root owner, and reverts after the unmount. This is because Finder does not allow to list files on directories owned by root, even if the permissions are rwx for everyone (777 in octal). As said, you can still access everything under the mounting directory as user for any operation.

Clearly this is a bug in Finder #bugs

Demonstration of permissions, starting with nothing mounted:

sudo tree -L 3 -u -g -p ~/mnt/
[drwxr-xr-x user     staff   ]  /Users/user/mnt/
├── [drwxr-xr-x user     staff   ]  WINDOWS
└── [drwxr-xr-x user     staff   ]  dislocker
    └── [drwxr-xr-x user     staff   ]  WINDOWS
sudo dislocker-fuse -v -V /dev/disk4s1 -pXXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX -- ~/mnt/dislocker/WINDOWS/
sudo tree -L 3 -u -g -p ~/mnt/
[drwxr-xr-x user     staff   ]  /Users/user/mnt/
├── [drwxr-xr-x user     staff   ]  WINDOWS
└── [drwxr-xr-x user     staff   ]  dislocker
    └── [dr-xr-xr-x root     wheel   ]  WINDOWS
        └── [-rw-rw-rw- root     wheel   ]  dislocker-file
sudo ntfs-3g -o uid=$(id -u),gid=$(id -g),loop,local,allow_other ~/mnt/dislocker/WINDOWS/dislocker-file ~/mnt/WINDOWS/
sudo tree -L 2 -u -g -p ~/mnt/
[drwxr-xr-x user     staff   ]  /Users/user/mnt/
├── [drwxrwxrwx user     staff   ]  WINDOWS
│   ├── [drwxrwxrwx user     staff   ]  $RECYCLE.BIN
│   ├── [drwxrwxrwx user     staff   ]  System Volume Information
│   ├── [-rwxrwxrwx user     staff   ]  bookmarks.html
│   ├── [drwxrwxrwx user     staff   ]  movies
└── [drwxr-xr-x user     staff   ]  dislocker
    └── [dr-xr-xr-x root     wheel   ]  WINDOWS

Here we can see, that as soon as we mount each of the filesystems, directories change owner and group to more privileged values, hence Finder doesn't allow to display files or access GUI *.app to it.

12. To unmount both filesystems it's pretty simple (in reverse order):

sudo umount ~/mnt/WINDOWS
sudo umount ~/mnt/dislocker/WINDOWS

13 Performance tests

The SSD is in SATA to USB 3.0 enclosure, connected to USB 3 ports. Running some read and write tests in Windows 11 and macOS:

Cygwin under Windows 11 (MSi computer):

$ pv BaseSystem.img > /dev/null
2.00GiB 0:00:05 [ 359MiB/s] [=========================================================>] 100%
$ pv mac_hdd_ng.img > /dev/null
 101GiB 0:04:46 [ 364MiB/s] [=========================================================>] 100%
$ dd if=/dev/zero bs=100M count=100 | pv > file
100+0 records in[ 147MiB/s] [                                           <=>            ]
100+0 records out
10485760000 bytes (10 GB, 9.8 GiB) copied, 61.2093 s, 171 MB/s
9.77GiB 0:01:01 [ 163MiB/s] [                                           <=>            ]

iMac M1 with dislocker connected to Thunderbolt or USB-C port:

# dd if=/dev/disk5 bs=10M count=1000 | pv > /dev/null
1000+0 records in 135MiB/s] [                                           <=>            ]
1000+0 records out
10485760000 bytes transferred in 74.401004 secs (140935733 bytes/sec)
9.77GiB 0:01:14 [ 134MiB/s] [                                           <=>            ]
% pv BaseSystem.img > /dev/null
2.00GiB 0:00:21 [96.5MiB/s] [=========================================================>] 100%
% dd if=/dev/zero bs=100M count=100 | pv > file
100+0 records in[27.8MiB/s] [                                           <=>            ]
100+0 records out
10485760000 bytes transferred in 362.403237 secs (28933958 bytes/sec)
9.77GiB 0:06:02 [27.6MiB/s] [                                           <=>            ]

With iMac the problem is already that accesses the drive or block device much slower than on Windows. Maybe due to some physical limitation of the USB-C ports of the Mac or drivers issue.

Links

Dalvik Planet

Saturday, December 17, 2022

BitLocker on macOS

No comments:

Post a Comment