cryptsetup.lists.linux.dev archive mirror
 help / color / mirror / Atom feed
From: Vojtech Trefny <vtrefny@redhat.com>
To: Chris Murphy <lists@colorremedies.com>
Cc: cryptsetup@lists.linux.dev
Subject: Re: Bitlocker resize
Date: Wed, 23 Mar 2022 19:10:06 +0100	[thread overview]
Message-ID: <CAAkhNO1PUmg4JWnMocUeHMbQAZBom8RsXU_05xixbdt8wrxtBw@mail.gmail.com> (raw)
In-Reply-To: <CAJCQCtSRe-nip3a6m+hzccXMYyKTP3AzPmAbHgnVPFJPLbdfCA@mail.gmail.com>

On Tue, Mar 15, 2022 at 5:51 PM Chris Murphy <lists@colorremedies.com> wrote:
>
> Hi,
>
> I'm curious how Linux distro installers should go about supporting the
> increasingly common case of Bitlocker enabled by default.
>
> Is the Bitlocker format similar to LUKS in that the ciphertext volume
> size is inferred from the underlying partition size?
>
> I see in bitlkDump results of a Bitlocker volume there's no apparent
> reference to its size so I'm thinking it might be conceptually the
> same as LUKS, in which case the installer workflow would be the same
> as LUKS. I know that cryptsetup doesn't support modifying a Bitlocker
> header, but maybe it's not necessary?

BitLocker metadata contain volume size, we are reading it and just not
using the value (which is probably something we should fix). As Milan
said, cryptsetup doesn't even allow changing the BitLocker FVE
metadata areas when the device is active and we really don't want to
touch these in cryptsetup at all. And the fact that we know about one
place where the volume is stored, it doesn't mean there aren't other
entries somewhere else or at other places like the BitLocker header or
the encrypted NTFS header.

>
> pseudocode:
> cryptsetup open /dev/ $name
> ntfsresize --size $size /dev/mapper/$name

I am afraid ntfsresize doesn't seem to be ready to work with
BitLocker. Yes, there is a "normal" NTFS inside, but because the NTFS
filesystem is not presented as smaller than the underlying device, the
metadata areas are part of the NTFS format and visible as
hidden/system files in the MFT and I'm not sure ntfsresize is ready to
deal with this. I did a quick test and `ntfsresize -m` reports the
minimal size of the format as "Minsize (in MB): 102". Which is
definitely wrong -- the second FVE metadata area is around 1 GiB mark
and the third at 2 GiB so at least this information cannot be used
when resizing a BitLocker device.

And don't forget that it's not guaranteed that there will be NTFS
inside. FAT and exFAT are also supported with BitLocker and people are
also trying things like using Btrfs with BitLocker.

> cryptsetup close $name
> libfdisk/parted (resize the partition, create a new one in free space, etc)
>
> Thanks,
>
> --
> Chris Murphy
>

I'm not saying it would be impossible to implement resize support for
BitLocker devices, but it definitely wouldn't be easy. And I agree
with Milan that it shouldn't be part of cryptsetup because it needs to
change the metadata. That doesn't mean it couldn't be a new small tool
that uses libcryptsetup and ntfsresize. I'll be happy to help if
someone works on something like that.

--
Vojtech Trefny


      parent reply	other threads:[~2022-03-23 18:10 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-15 16:45 Bitlocker resize Chris Murphy
2022-03-15 17:19 ` Milan Broz
2022-03-23 18:10 ` Vojtech Trefny [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAAkhNO1PUmg4JWnMocUeHMbQAZBom8RsXU_05xixbdt8wrxtBw@mail.gmail.com \
    --to=vtrefny@redhat.com \
    --cc=cryptsetup@lists.linux.dev \
    --cc=lists@colorremedies.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).