Mounting BitLocker-encrypted NTFS drives as read/write on MacOS Ventura
BitLocker encryption has become a common alternative for securing personal files and is nowadays natively supported by Linux, at least within GNOME. Some additional steps, however, are still required to ensure full MacOS compatibility. This guide describes the necessary steps to achieve it.
Also available on GitHub as a gist (with a script for mounting/unmounting).
Requirements
We require three packages: macFUSE, ntfs-3g (and brew), and dislocker.
1/3: Install macFUSE
macFUSE is a compatibility layer, previously known as OSXFUSE, that extends MacOS’s native file system with third-party ones — like NTFS.
Simply obtain the .dmg package from the official website (or the GitHub repository) and install it — it is required for the next steps to succeed. Alternatively, you may try and install it using Homebrew instead:
brew install --cask macfuseYou will need to reboot your PC in order to complete the installation.
2/3: Install ntfs-3g
Huge thanks to gromgit for making ntfs-3g easily available as a formula.
The ntfs-3g package is an open source implementation for mounting NTFS file systems as read and write, and may too be installed using Homebrew:
brew tap gromgit/homebrew-fuse &&
brew install ntfs-3g-macAfter installing, the mount_ntfs binary becomes available to mount as r+w.
3/3: Install dislocker
Compiling dislocker requires the second version of Mbed-TSL (previously PolarSSL). Trying to compile with the latest (third) version causes an error:
ssl_bindings.h:29:10: fatal error: 'mbedtls/config.h' file not foundTo solve it, first make sure you install the second version of Mbed-TLS:
brew install mbedtls@2As the mbedlts@2 package is only available as a keg, no symbolic links are created into /usr/local by default. Thankfully, we may easily temporarily replace the linked libraries from mbedtls (if installed) with mbedtls@2:
brew unlink mbedtls
brew link mbedtls@2Now we may get the latest version of dislocker, compile and install it:
mkdir dislocker &&
curl -L https://github.com/Aorimn/dislocker/tarball/master |
tar -xz --strip 1 -C dislocker &&
cd dislocker &&
cmake . &&
make &&
sudo make installFinally with dislocker installed, we may undo the previous changes:
brew unlink mbedtls@2
brew link mbedtlsMounting and unmounting
If everything worked out, now it's just a matter of issuing a series of commands — boring, but quick. Here's a handy script for that, which automates both the process of mounting and unmounting the device.
Manually mounting
Another huge thanks to Christian Engvall for describing these steps on MacOS.
First, connect your device and find the identifier (e.g., /dev/diskXsY) with:
diskutil listLet's unlock it (replace diskXsY with your device's identifier) to ~/.dislocker:
mkdir -p ~/.dislocker/diskXsY &&
sudo dislocker -V /dev/diskXsY -u -- ~/.dislocker/diskXsYWe then create a new block device (take note of the output returned here):
sudo hdiutil attach \
-imagekey diskimage-class=CRawDiskImage -nomount \
~/.dislocker/diskXsY/dislocker-fileAnd finally mount it (replace /dev/diskZ with the previous returned output):
sudo mkdir -p /Volumes/BitLocker &&
sudo mount_ntfs /dev/diskZ /Volumes/BitLockerThe device should now appear on the sidebar of your Files window.
Manually unmounting
When done, unmount with (replace diskXsY and diskZ appropriately):
sudo diskutil umount /Volumes/BitLocker
sudo diskutil umountdisk /dev/diskZ
sudo diskutil umount ~/.dislocker/diskXsY # or 'umount force' if required
sudo diskutil eject /dev/diskX # optionalNote that the first two commands may be replaced by simply clicking on the eject button near the device's name of the Files' window sidebar.
