Mounting BitLocker-encrypted NTFS drives as read/write on MacOS Ventura
BitLocker encryption has become a common alternative for securing personal files and is nowadays natively supported by Linux, at least within GNOME. Some additional steps, however, are still required to ensure full MacOS compatibility. This guide describes the necessary steps to achieve it.
Also available on GitHub as a gist (with a script for mounting/unmounting).
Requirements
We require three packages: macFUSE, ntfs-3g (and brew), and dislocker.
1/3: Install macFUSE
macFUSE is a compatibility layer, previously known as OSXFUSE, that extends MacOS’s native file system with third-party ones — like NTFS.
Simply obtain the .dmg package from the official website (or the GitHub repository) and install it — it is required for the next steps to succeed. Alternatively, you may try and install it using Homebrew instead:
brew install --cask macfuse
You will need to reboot your PC in order to complete the installation.
2/3: Install ntfs-3g
Huge thanks to gromgit for making ntfs-3g easily available as a formula.
The ntfs-3g package is an open source implementation for mounting NTFS file systems as read and write, and may too be installed using Homebrew:
brew tap gromgit/homebrew-fuse &&
brew install ntfs-3g-mac
After installing, the mount_ntfs binary becomes available to mount as r+w.
3/3: Install dislocker
Compiling dislocker requires the second version of Mbed-TSL (previously PolarSSL). Trying to compile with the latest (third) version causes an error:
ssl_bindings.h:29:10: fatal error: 'mbedtls/config.h' file not found
To solve it, first make sure you install the second version of Mbed-TLS:
brew install mbedtls@2
As the mbedlts@2 package is only available as a keg, no symbolic links are created into /usr/local by default. Thankfully, we may easily temporarily replace the linked libraries from mbedtls (if installed) with mbedtls@2:
brew unlink mbedtls
brew link mbedtls@2
Now we may get the latest version of dislocker, compile and install it:
mkdir dislocker &&
curl -L https://github.com/Aorimn/dislocker/tarball/master |
tar -xz --strip 1 -C dislocker &&
cd dislocker &&
cmake . &&
make &&
sudo make install
Finally with dislocker installed, we may undo the previous changes:
brew unlink mbedtls@2
brew link mbedtls
Mounting and unmounting
If everything worked out, now it's just a matter of issuing a series of commands — boring, but quick. Here's a handy script for that, which automates both the process of mounting and unmounting the device.
Manually mounting
Another huge thanks to Christian Engvall for describing these steps on MacOS.
First, connect your device and find the identifier (e.g., /dev/diskXsY) with:
diskutil list
Let's unlock it (replace diskXsY with your device's identifier) to ~/.dislocker:
mkdir -p ~/.dislocker/diskXsY &&
sudo dislocker -V /dev/diskXsY -u -- ~/.dislocker/diskXsY
We then create a new block device (take note of the output returned here):
sudo hdiutil attach \
-imagekey diskimage-class=CRawDiskImage -nomount \
~/.dislocker/diskXsY/dislocker-file
And finally mount it (replace /dev/diskZ with the previous returned output):
sudo mkdir -p /Volumes/BitLocker &&
sudo mount_ntfs /dev/diskZ /Volumes/BitLocker
The device should now appear on the sidebar of your Files window.
Manually unmounting
When done, unmount with (replace diskXsY and diskZ appropriately):
sudo diskutil umount /Volumes/BitLocker
sudo diskutil umountdisk /dev/diskZ
sudo diskutil umount ~/.dislocker/diskXsY # or 'umount force' if required
sudo diskutil eject /dev/diskX # optional
Note that the first two commands may be replaced by simply clicking on the eject button near the device's name of the Files' window sidebar.