Add dislocker-recovery tool to extract recovery passwords#353
Add dislocker-recovery tool to extract recovery passwords#353cwerling wants to merge 2 commits intoAorimn:masterfrom
Conversation
Systems like Ubuntu 24.04 ship mbedTLS without CMake config files, causing find_package to fail. This adds a custom find module that locates mbedTLS on common Linux paths and creates imported targets. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
Sample output: |
|
Hey there, why not!? Thanks for this! Are you aware that once you have one of the recovery mechanism, one can use it to recover the recovery password and/or key (cf the comment here)? |
|
Hey @Aorimn, thanks for the friendly check! This makes sense conceptually! I told Claude to throw away the extra CLI entrypoint (dislocker-recovery) and it instead implemented it where your comment was and added a command line option for it. I was only able to test compilation on a Ubuntu 24.04 Docker container on my Mac, so this definitely needs to be tested on a Linux system with some Bitlocker-encrypted drive attached. Can do that tomorrow. Cheers! |
|
Wow, that's quite awesome! |
|
Crazy times. Also, after sending Claude Code the link to your first PR comment, it replied pretty accurately :D Sorry for the off topic. Will send an update once I tested this tomorrow. |
|
Testing on latest Fedora went fine, only that I had to change the log level of printing the recovery key to |
Isn't that weird? I'm wondering if the library shouldn't just return the password, and have a dedicated binary (like you had before, right?) display it, so that there's no twisting the log level. What do you think? |
Introduce functionality to extract and display the BitLocker recovery password from a volume after successful VMK decryption. Library changes: - Add dis_get_recovery_password() public API function that retrieves the recovery password from a decrypted VMK - Add DIS_RET_ERROR_RECOVERY_PASSWORD_EXTRACTION error code New binary: - Create dislocker-recovery that accepts the same decryption methods (-p, -f, -u, -c) as other dislocker tools - Outputs the recovery password to stdout, suitable for scripting This implements the functionality suggested in the NOTE comment at src/accesses/accesses.c - using the VMK to recover other keys. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
I think you're right, it's weird. I pushed an alternative version like you suggested but couldn't test it yet! |
|
Thanks, and sorry for the back&forth on this, really appreciate your changes! Maybe something that worries me as well is the FindMbedTLS file. With the tests broken, we won't be able to test just the compilation on multiple OSes |
2 participants
Hi there,
I needed to get from a valid VMK to the accompanying recovery key (so I'd be able to boot into the live Windows environment). This was discussed in #294 and I asked Claude Code for help to implement it.
I decided to make it a separate binary as I didn't want dislocker-metadata to handle decryption stuff, but also found it unfitting for the other entrypoints.
Since I don't know if vibe-coded, but tested code is welcome, I'm cautiously advertising this to be merged. I also made some modifications to the cmake configs so I could compile it on both Ubuntu 24.04 and a recent Fedora.
I'm definitely open for any changes if needed. If you have a strict no-AI policy, feel free to discard it.