Description of problem: Many customers using Windows Server enable BitLocker encryption and libguestfs is unable to read from these disks. Currently, libguestfs supports LUKS encryption with password, so it would be great to have support for BitLocker too.
Windows Server 2019 virtual machine with BitLocker enabled. Examining the disk from Linux ... # blkid -o value -s TYPE /dev/sda2 BitLocker LABEL and UUID are not exposed in blkid, but we knew that already from the commit message. # cryptsetup bitlkOpen /dev/sda2 bitlocker Enter passphrase for /dev/sda2: Regular passphrase from when I set up the Windows machine works. # file -bsL /dev/mapper/bitlocker DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 1126400, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 103729151, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 0e6d4778dd4775ead; contains bootstrap BOOTMGR # mount /dev/mapper/bitlocker /sysroot/ # ls /sysroot/ '$Recycle.Bin' 'Program Files (x86)' Users 'Documents and Settings' ProgramData Windows PerfLogs Recovery pagefile.sys 'Program Files' 'System Volume Information' # cryptsetup bitlkDump /dev/sda2 Info for BITLK device /dev/sda2. Version: 2 GUID: 62678f45-95cc-4f4f-b511-83c8d8f9b123 Created: Fri Mar 13 12:16:10 2020 Description: WIN-M5ECJLT33UH C: 3/13/2020 Cipher name: aes Cipher mode: xts-plain64 Cipher key: 128 bits Keyslots: 0: VMK GUID: b5517352-1008-4b17-8bad-5ff9d67b26eb Protection: VMK protected with passphrase Salt: 78f30fde27e458ce8ccadb4dc6d65d69 Key data size: 44 [bytes] 1: VMK GUID: 75e6a2b2-cea3-4bab-b9ee-804276b5fed2 Protection: VMK protected with recovery passphrase Salt: 22663945f5118c6eb53ad41b3095b310 Key data size: 44 [bytes] 2: FVEK Key data size: 44 [bytes] Metadata segments: 0: FVE metadata area Offset: 40894464 [bytes] Size: 65536 [bytes] 1: FVE metadata area Offset: 3332112384 [bytes] Size: 65536 [bytes] 2: FVE metadata area Offset: 3332177920 [bytes] Size: 65536 [bytes] 3: Volume header Offset: 40960000 [bytes] Size: 8192 [bytes] Cipher: aes-xts-plain64 File read and write worked, but I didn't try anything very taxing. However it does, generally speaking, seem to work.
I can also confirm that Windows can read the files that are written in Linux, and MD5 checksums seem to indicate no corruption. One thing that concerns me is that Windows strongly wants you to use a TPM when creating the Bitlocker disk (rather than a boot-time passphrase). VMware has a vTPM, but it's unlikely we'd be able to get access to it during conversion, and in any case there is no support for TPM + Bitlocker in Linux. So we'd only support passphrase-encrypted Bitlocker VMs.
(In reply to Richard W.M. Jones from comment #6) > One thing that concerns me is that Windows strongly wants you to use a TPM > when creating the Bitlocker disk (rather than a boot-time passphrase). > VMware > has a vTPM, but it's unlikely we'd be able to get access to it during > conversion, and in any case there is no support for TPM + Bitlocker in Linux. > So we'd only support passphrase-encrypted Bitlocker VMs. You can use the recovery passphrase, it should be created automatically even for TPM protected drives and cryptsetup supports it (I've tested this on a laptop with TPM).
Patches posted: https://www.redhat.com/archives/libguestfs/2020-March/msg00286.html https://www.redhat.com/archives/libguestfs/2020-March/msg00291.html
I'm still trying to do this for 8.3.0. The change to ITR 8.4.0 is currently just for administrative purposes.
Updated patches posted: https://www.redhat.com/archives/libguestfs/2020-September/msg00050.html https://www.redhat.com/archives/libguestfs/2020-September/msg00055.html
v3 posted: https://www.redhat.com/archives/libguestfs/2020-September/msg00050.html https://www.redhat.com/archives/libguestfs/2020-September/msg00111.html
This is all upstream now in ... libguestfs-common: https://github.com/libguestfs/libguestfs-common/commit/96ea18db4a4f2e336145553c0fbbba59ede2221e https://github.com/libguestfs/libguestfs-common/commit/f9770058fa3bd8871b8b4ded0b10d4be418224ae https://github.com/libguestfs/libguestfs-common/commit/778c08fe7b7eb00b7f48189dd1a3edf3f3be2625 https://github.com/libguestfs/libguestfs-common/commit/132c355d3ba10b6ec303cbc059d6732056474695 libguestfs: https://github.com/libguestfs/libguestfs/commit/c456ea033276166ffae3f73729cbcbc72ee5ccd0 https://github.com/libguestfs/libguestfs/commit/c8e0b453891ca4fb8ba44376cd54c091fdfe34e7 https://github.com/libguestfs/libguestfs/commit/6e870a8e436d3f184b27ce0a974c33b9ce71b06b https://github.com/libguestfs/libguestfs/commit/41cbc8933069ad7bdf58a0680a7018b7ef891642 https://github.com/libguestfs/libguestfs/commit/79f3d451a8a23f8a5d52a8dda8cb4eb5e17ed2e5 https://github.com/libguestfs/libguestfs/commit/86577ee3883836c1c4fff258c05261bd3858e22b https://github.com/libguestfs/libguestfs/commit/5631106a73bbfd20849aafcdab1f50d5aec7d013 https://github.com/libguestfs/libguestfs/commit/4663112d89e2131ac24a010d53d8125623b45efb Preliminary setting ITM to 3 (early) for RHEL AV 8.4.0
Set this bug to depend on the rebase (bug 1906046) which pulls in all the required commits.
Verified with package: libguestfs-1.44.0-1.module+el8.4.0+9398+f376ac33.x86_64 Steps: 1. Prepare Windows Server 2019 virtual machine with BitLocker enabled. # virt-rescue -a Win2019-bitlocker.raw ... ><rescue> blkid -o value -s TYPE /dev/sda2 BitLocker ><rescue> cryptsetup bitlkOpen /dev/sda2 bitlocker Enter passphrase for /dev/sda2: -- input the passphrase ><rescue> file -bsL /dev/mapper/bitlocker DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 1126400, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 40814591, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 0e6b6d14eb6d1203b ><rescue> mount /dev/mapper/bitlocker /sysroot/ ><rescue> ls /sysroot '$Recycle.Bin' Users 'Documents and Settings' Windows PerfLogs pagefile.sys 'Program Files' rss.exe 'Program Files (x86)' rss.reg ProgramData rss_2018-12-03_09-08-59.log Recovery rss_2019-03-20_10-28-00.log 'System Volume Information' ><rescue> cryptsetup bitlkDump /dev/sda2 Info for BITLK device /dev/sda2. Version: 2 GUID: 8bbb7a3f-5ea6-47bb-a4f2-28497ca387b5 Sector size: 512 [bytes] Created: Thu Oct 15 15:12:09 2020 Description: WIN-HFJMM8K3DD1 C: 10/15/2020 Cipher name: aes Cipher mode: xts-plain64 Cipher key: 128 bits Keyslots: 0: VMK GUID: 7621d288-da06-4a97-a91f-ded0d6d161bc Protection: VMK protected with passphrase Salt: 1e195028c139d8a3d80ee3bc14138a64 Key data size: 44 [bytes] 1: VMK GUID: 865a1694-cf76-4dba-8028-512c2814fc12 Protection: VMK protected with recovery passphrase Salt: 48b6b38c90507a490ea6d32178f3964d Key data size: 44 [bytes] 2: FVEK Key data size: 44 [bytes] Metadata segments: 0: FVE metadata area Offset: 36728832 [bytes] Size: 65536 [bytes] 1: FVE metadata area Offset: 1629749248 [bytes] Size: 65536 [bytes] 2: FVE metadata area Offset: 2184904704 [bytes] Size: 65536 [bytes] 3: Volume header Offset: 36794368 [bytes] Size: 8192 [bytes] Cipher: aes-xts-plain64 2. # virt-inspector -a Win2019-bitlocker.raw Enter key or passphrase ("/dev/sda2"): -- input the passphrase <?xml version="1.0"?> <operatingsystems> <operatingsystem> <root>/dev/mapper/cryptsda2</root> <name>windows</name> <arch>x86_64</arch> <distro>windows</distro> <product_name>Windows Server 2019 Standard</product_name> <product_variant>Server</product_variant> <major_version>10</major_version> <minor_version>0</minor_version> <windows_systemroot>/Windows</windows_systemroot> <windows_current_control_set>ControlSet001</windows_current_control_set> <hostname>WIN-HFJMM8K3DD1</hostname> <osinfo>win2k19</osinfo> <mountpoints> <mountpoint dev="/dev/mapper/cryptsda2">/</mountpoint> </mountpoints> <filesystems> <filesystem dev="/dev/mapper/cryptsda2"> <type>ntfs</type> <uuid>E6B6D14EB6D1203B</uuid> </filesystem> </filesystems> <drive_mappings> <drive_mapping name="C">/dev/sda2</drive_mapping> </drive_mappings> <applications> <application> <name>winscp3_is1</name> <display_name>WinSCP 5.14 beta</display_name> <version>5.14 beta</version> <install_path>C:\Program Files (x86)\WinSCP\</install_path> <publisher>Martin Prikryl</publisher> <url>https://winscp.net/</url> </application> </applications> </operatingsystem> </operatingsystems> So libguestfs can detect BitLocker encrypted disks correctly. Verified this bug.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:av bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2098