BitLocker encryption has become a common alternative for securing personal files and is nowadays natively supported by Linux, at least within GNOME. Some additional steps, however, are still required to ensure full MacOS compatibility. This guide describes the necessary steps to achieve it.
We require three packages: macFUSE, ntfs-3g (and brew), and dislocker.
macFUSE is a compatibility layer, previously known as OSXFUSE, that extends MacOS's native file system with third-party ones - like NTFS.
Simply obtain the .dmg package from the official website (or the GitHub repository) and install it - it is required for the next steps to succeed. Alternatively, you may try and install it using Homebrew instead:
brew install --cask macfuse
You will need to reboot your PC in order to complete the installation.
Huge thanks to gromgit for making ntfs-3g easily available as a formula.
The ntfs-3g package is an open source implementation for mounting NTFS file systems as read and write, and may too be installed using Homebrew:
brew tap gromgit/homebrew-fuse &&
brew install ntfs-3g-mac
After installing, the mount_ntfs binary becomes available to mount as r+w
.
Compiling dislocker requires the second version of Mbed-TSL (previously PolarSSL). Trying to compile with the latest (third) version causes an error:
ssl_bindings.h:29:10: fatal error: 'mbedtls/config.h' file not found
To solve it, first make sure you install the second version of Mbed-TLS:
brew install mbedtls@2
As the mbedlts@2
package is only available as a keg, no symbolic links are created into /usr/local
by default. Thankfully, we may easily temporarily replace the linked libraries from mbedtls (if installed) with mbedtls@2
:
brew unlink mbedtls
brew link mbedtls@2
Now we may get the latest version of dislocker, compile and install it:
mkdir dislocker &&
curl -L https://github.com/Aorimn/dislocker/tarball/master |
tar -xz --strip 1 -C dislocker &&
cd dislocker &&
cmake . &&
make &&
sudo make install
Finally with dislocker installed, we may undo the previous changes:
brew unlink mbedtls@2
brew link mbedtls
If everything worked out before, it's now just a matter of issuing a series of commands - boring, but quick.
Here's a handy script for that, which automates both the process of mounting and unmounting the device.
Another huge thanks to Christian Engvall for describing these steps on MacOS.
First, connect your device and find the identifier (e.g., /dev/diskXsY
) with:
diskutil list
Let's unlock it (replace diskXsY
with your device's identifier) to ~/.dislocker
:
mkdir -p ~/.dislocker/diskXsY &&
sudo dislocker -V /dev/diskXsY -u -- ~/.dislocker/diskXsY
We then create a new block device (take note of the output returned here):
sudo hdiutil attach \
-imagekey diskimage-class=CRawDiskImage -nomount \
~/.dislocker/diskXsY/dislocker-file
And finally mount it (replace /dev/diskZ
with the previous returned output):
sudo mkdir -p /Volumes/BitLocker &&
sudo mount_ntfs /dev/diskZ /Volumes/BitLocker
The device should now appear on the sidebar of your Files window.
When done, unmount with (replace diskXsY
and diskZ
appropriately):
sudo diskutil umount /Volumes/BitLocker
sudo diskutil umountdisk /dev/diskZ
sudo diskutil umount ~/.dislocker/diskXsY # or 'umount force' if required
sudo diskutil eject /dev/diskX # optional
Note that the first two commands may be replaced by simply clicking on the eject button near the device's name of the Files' window sidebar.