Bitlocker resize

Bitlocker resize

[Chris Murphy]

Hi,

I'm curious how Linux distro installers should go about supporting the
increasingly common case of Bitlocker enabled by default.

Is the Bitlocker format similar to LUKS in that the ciphertext volume
size is inferred from the underlying partition size?

I see in bitlkDump results of a Bitlocker volume there's no apparent
reference to its size so I'm thinking it might be conceptually the
same as LUKS, in which case the installer workflow would be the same
as LUKS. I know that cryptsetup doesn't support modifying a Bitlocker
header, but maybe it's not necessary?

pseudocode:
cryptsetup open /dev/ $name
ntfsresize --size $size /dev/mapper/$name
cryptsetup close $name
libfdisk/parted (resize the partition, create a new one in free space, etc)

Thanks,

-- 
Chris Murphy

Re: Bitlocker resize

[Milan Broz]

On 15/03/2022 17:45, Chris Murphy wrote:
> I'm curious how Linux distro installers should go about supporting the
> increasingly common case of Bitlocker enabled by default.

Not sure about installers, but BitLocker support through libcryptsetup
is actually already used (as it is integrated through udisks).
  
> Is the Bitlocker format similar to LUKS in that the ciphertext volume
> size is inferred from the underlying partition size?

Well, we activate it this way, and it seems to work.
But metadata can contain some size info we just do not process yet
(as it is not openly documented).

> I see in bitlkDump results of a Bitlocker volume there's no apparent
> reference to its size so I'm thinking it might be conceptually the
> same as LUKS, in which case the installer workflow would be the same
> as LUKS. I know that cryptsetup doesn't support modifying a Bitlocker
> header, but maybe it's not necessary?

Libcryptsetup will never support any metadata write operation for Bitlocker.

We will only support activation of existing devices (and later read/write
access of plaintext data is done through common NTFS driver).

> pseudocode:
> cryptsetup open /dev/ $name
> ntfsresize --size $size /dev/mapper/$name
> cryptsetup close $name
> libfdisk/parted (resize the partition, create a new one in free space, etc)

Not sure if this works - if ntfsresize need to access Bitlocker metadata
(on activated volume), then we mask them out during activation.

Perhaps just try it :)

Milan

Re: Bitlocker resize

[Vojtech Trefny]

On Tue, Mar 15, 2022 at 5:51 PM Chris Murphy <lists@colorremedies.com> wrote:
>
> Hi,
>
> I'm curious how Linux distro installers should go about supporting the
> increasingly common case of Bitlocker enabled by default.
>
> Is the Bitlocker format similar to LUKS in that the ciphertext volume
> size is inferred from the underlying partition size?
>
> I see in bitlkDump results of a Bitlocker volume there's no apparent
> reference to its size so I'm thinking it might be conceptually the
> same as LUKS, in which case the installer workflow would be the same
> as LUKS. I know that cryptsetup doesn't support modifying a Bitlocker
> header, but maybe it's not necessary?

BitLocker metadata contain volume size, we are reading it and just not
using the value (which is probably something we should fix). As Milan
said, cryptsetup doesn't even allow changing the BitLocker FVE
metadata areas when the device is active and we really don't want to
touch these in cryptsetup at all. And the fact that we know about one
place where the volume is stored, it doesn't mean there aren't other
entries somewhere else or at other places like the BitLocker header or
the encrypted NTFS header.

>
> pseudocode:
> cryptsetup open /dev/ $name
> ntfsresize --size $size /dev/mapper/$name

I am afraid ntfsresize doesn't seem to be ready to work with
BitLocker. Yes, there is a "normal" NTFS inside, but because the NTFS
filesystem is not presented as smaller than the underlying device, the
metadata areas are part of the NTFS format and visible as
hidden/system files in the MFT and I'm not sure ntfsresize is ready to
deal with this. I did a quick test and `ntfsresize -m` reports the
minimal size of the format as "Minsize (in MB): 102". Which is
definitely wrong -- the second FVE metadata area is around 1 GiB mark
and the third at 2 GiB so at least this information cannot be used
when resizing a BitLocker device.

And don't forget that it's not guaranteed that there will be NTFS
inside. FAT and exFAT are also supported with BitLocker and people are
also trying things like using Btrfs with BitLocker.

> cryptsetup close $name
> libfdisk/parted (resize the partition, create a new one in free space, etc)
>
> Thanks,
>
> --
> Chris Murphy
>

I'm not saying it would be impossible to implement resize support for
BitLocker devices, but it definitely wouldn't be easy. And I agree
with Milan that it shouldn't be part of cryptsetup because it needs to
change the metadata. That doesn't mean it couldn't be a new small tool
that uses libcryptsetup and ntfsresize. I'll be happy to help if
someone works on something like that.

--
Vojtech Trefny