The answer below describes how to mount a BitLocker partition under Linux without using dislocker. Instead, it uses cryptsetup and achieves full auto-mount capability.
For security, the partition where /etc/cryptsetyp-keys.d lives should itself be encrypted at rest. In my setup, this is the case as the root partition is LUKS-encrypted, with the unlocking occurring during boot via a passphrase.
The content below is a copy of the answer here:
https://unix.stackexchange.com/a/791754/106499 (archived version)
It is reproduced under the terms of the original license CC BY-SA 4.0.
The original author of this content is user bolind on stackexchange.
I've done this a number of times, initially with dislocker and dislocker-fuse, which works fine, but requires manual intervention, and does not survive a reboot. It turns out there's a piece of software called cryptsetup, which does not receive as much attention as it should. I'm speculating that it's because it's primarily made to mount natively encrypted Linux volumes, but it also supports BitLocker.
Caveat: if you get some settings wrong you might end up with a system that stops mid-boot and requests a password for decrypting a disk, interactively. Make sure you're able to get to the system in question, and attach a monitor and keyboard to it, or remote control it.
The following has been made on a Rocky Linux 9.5 installation, but should generalize to most distros of this vintage.
First you'll need to install cryptsetup:
sudo dnf install -y cryptsetup
Then attach your external disk, and check dmesg to see that it's recognized and attached.
Then, run blkid to find the partition UUID of the BitLocker partition:
/dev/sdg1: TYPE="BitLocker" PARTLABEL="easystore" PARTUUID="584064cf-fb91-4d24-ab9d-594f01832c81"
Make the following entry in /etc/crypttab:
mydisk_01 PARTUUID=584064cf-fb91-4d24-ab9d-594f01832c81 - bitlk,nofail
(Alternatively, you can refer to the disk as /dev/sdg1 in /etc/crypttab, but if you have multiple disks attached, there's no guarantee that these device names will remain static across reboots. Using the PARTUUID is the safer bet.)
Create a directory called /etc/cryptsetup-keys.d and put the BitLocker password in a file there:
- The filename must be the same as the entry in
/etc/crypttab, plus a.keyextension. - The file must be owned by root and have permissions 600, i.e.
-rw——-. - The file must contain the decryption password and nothing else, notably no newline at end of file. This is best achieved by creating it with
echo -n “p455w0rd” > /etc/cryptsetyp-keys.d/mydisk_01.key.
At this point, you can try a reboot, and see if the encrypted device is automatically decrypted. If successful, there should be an entry in /dev/mapper:
$ ls -l /dev/mapper/mydisk_01 lrwxrwxrwx. 1 root root 7 Feb 26 12:09 /dev/mapper/mydisk_01 -> ../dm-2
And the decrypted NTFS partition should show up with blkid:
/dev/mapper/mydisk_01: LABEL="foo" UUID="2244262344C5FA65" TYPE="ntfs"
At this point, you can either mount it manually, or add it to /etc/fstab:
UUID="2244262344C5FA65" /mnt/mydisk_01 ntfs defaults,nofail 0 0
You can, in /etc/fstab, either refer to the decrypted NTFS partition by UUID, or /dev/mapper/mydisk_01.
Try another reboot to ensure that everything comes up automatically.
Mandatory security warning: storing the decryption keys on disk is, of course, dangerous. If you're very concerned, you can leave that part out, and you'll be prompted on boot or mount (depending on the nofail option in /etc/crypttab).