Bitlk open fails with "Unexpected metadata entry value '24' found when parsing supported Volume Master Key."
Issue description
When I run sudo cryptsetup bitlkOpen /dev/nvme0n1p4
or Dump
it says Unexpected metadata entry value '24' found
, Bitlk open fails with "Not a valid BITLK device".
This two bitlocker partition is encrypted with Windows 11 Pro insider.
I've looked up duplicated issue (#515 (closed), #584 (closed)) but they're rated as closed issue, they were fixed.
Steps for reproducing the issue
- Encrypt the in-use partitions in Windows 11 control panel (
Encrypt Entire Drive
+New Encryption Mod
). - Restart to (Arch/Ubuntu) Linux and run
sudo cryptsetup bitlkOpen --debug /dev/nvme0n1p3 WinM
Unexpected metadata entry value '24' found
- Decrypt the partition -> disable
Secure Boot
and TPM -> encrypt theOS partition
again with (Used Space Only Encrypted
). - More errors:
Unexpected metadata entry value '6' found when parsing unsupported VMK.
Unexpected metadata entry value '30' found when parsing unsupported VMK.
Unexpected metadata entry value '24' found when parsing supported Volume Master Key.
Device /dev/nvme0n1p3 is not a valid BITLK device.
Additional info
I have been using cryptsetup
and crypttab
to unlock bitlocker
(RecoveryKey) and luks
partitions for years, it was working well with the distro I've installed on my system. (Arch, Fedora, Debian, Opensuse), Secure Boot
and TPM
was working just fine as well.
Last week, I wanted to try Ubuntu 24.04
on my system, the installer required me to disable Bitlocker for dual boot. So I did.
After Ubuntu was installed, I encrypted the C:
and B:
two partitions with "encrypt whole disk" & "New method" options. ( I've also tried other options, doesn't work either, they gives different errors).
Then, I run this program made by Microsoft Surface, it claims to fix bitlocker structure.
Finally, I reboot to Linux, it showed those errors before I could type in the passphase/recoverykey.
Installed Distribution and cryptsetup library version
- Arch Linux (
6.8.8-arch1-1-surface.x86_64
) - [cryptsetup library version 2.7.2
]
Fedora Linux (6.5.9-2.surface.fc38
)Debian (6.8.6.surface
)OpenSUSE TumbleWeed (6.8.8-surface
)
- Ubuntu 24.04 - (
6.8.0-31-generic
) - [cryptsetup library version 2.7.0.
]
Debug log
Encrypt Entire Drive
+New Encryption Mode
for both C:
B:
Using
manage-bde --status
PowerShell 7.4.2
PS > `manage-bde -status C:`
BitLocker Drive Encryption: Configuration Tool version 10.0.26217
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume C: [M]
[OS Volume]
Size: 195.20 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
PS > `manage-bde -status B:`
BitLocker Drive Encryption: Configuration Tool version 10.0.26217
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume B: [TUNNEL]
[Data Volume]
Size: 976.56 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Automatic Unlock: Enabled
Key Protectors:
Password
Numerical Password
External Key (Required for automatic unlock)
cryptsetup
with --debug
on ubuntu
curie@SB2-M18-U24:~$ sudo cryptsetup bitlkDump /dev/nvme0n1p4 --debug
# cryptsetup 2.7.0 processing "cryptsetup bitlkDump /dev/nvme0n1p4 --debug"
# Verifying parameters for command bitlkDump.
# Running command bitlkDump.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/nvme0n1p4.
# Trying to open and read device /dev/nvme0n1p4 with direct-io.
# Initialising device-mapper backend library.
# Trying to load BITLK crypt type from device /dev/nvme0n1p4.
# Crypto backend (OpenSSL 3.0.13 30 Jan 2024 [default][legacy] [external libargon2]) initialized in cryptsetup library version 2.7.0.
# Detected kernel Linux 6.8.0-31-generic x86_64.
# BITLK type from GUID: normal.
# Reading BITLK FVE metadata of size 112 on device /dev/nvme0n1p4, offset 317865984.
# Reading BITLK FVE metadata entries of size 870 on device /dev/nvme0n1p4, offset 317866096.
Unexpected metadata entry value '24' found when parsing supported Volume Master Key.
Device /dev/nvme0n1p4 is not a valid BITLK device.
# Releasing crypt device /dev/nvme0n1p4 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/nvme0n1p4.
Command failed with code -1 (wrong or missing parameters).
Secure Boot
Disabled, UsingUsed Disk Space Only
for System Drive; Entire Drive
for B:
manage-bde --status
PowerShell 7.4.2
PS > `manage-bde -status C:`
BitLocker Drive Encryption: Configuration Tool version 10.0.26217
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume C: [M]
[OS Volume]
Size: 195.20 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
PS > `manage-bde -status B:`
BitLocker Drive Encryption: Configuration Tool version 10.0.26217
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume B: [TUNNEL]
[Data Volume]
Size: 976.56 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Automatic Unlock: Enabled
Key Protectors:
Password
Numerical Password
External Key (Required for automatic unlock)
cryptsetup
with --debug
on Arch Linux
sudo cryptsetup bitlkOpen /dev/nvme0n1p3 WinM --debug ─╯
# cryptsetup 2.7.2 processing "cryptsetup bitlkOpen /dev/nvme0n1p3 WinM --debug"
# Verifying parameters for command open.
# Running command open.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/nvme0n1p3.
# Trying to open and read device /dev/nvme0n1p3 with direct-io.
# Initialising device-mapper backend library.
# Trying to load BITLK crypt type from device /dev/nvme0n1p3.
# Crypto backend (OpenSSL 3.3.0 9 Apr 2024 [default][legacy][threads][argon2]) initialized in cryptsetup library version 2.7.2.
# Detected kernel Linux 6.8.8-arch1-1-surface x86_64.
# BITLK type from GUID: normal.
# Reading BITLK FVE metadata of size 112 on device /dev/nvme0n1p3, offset 1318608896.
# Reading BITLK FVE metadata entries of size 1796 on device /dev/nvme0n1p3, offset 1318609008.
# Unexpected metadata entry value '6' found when parsing unsupported VMK.
# Unexpected metadata entry value '30' found when parsing unsupported VMK.
Unexpected metadata entry value '24' found when parsing supported Volume Master Key.
Device /dev/nvme0n1p3 is not a valid BITLK device.
# Releasing crypt device /dev/nvme0n1p3 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/nvme0n1p3.
Command failed with code -1 (wrong or missing parameters).
❯ sudo cryptsetup bitlkOpen /dev/nvme0n1p4 TUNNEL --debug ─╯
# cryptsetup 2.7.2 processing "cryptsetup bitlkOpen /dev/nvme0n1p4 TUNNEL --debug"
# Verifying parameters for command open.
# Running command open.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/nvme0n1p4.
# Trying to open and read device /dev/nvme0n1p4 with direct-io.
# Initialising device-mapper backend library.
# Trying to load BITLK crypt type from device /dev/nvme0n1p4.
# Crypto backend (OpenSSL 3.3.0 9 Apr 2024 [default][legacy][threads][argon2]) initialized in cryptsetup library version 2.7.2.
# Detected kernel Linux 6.8.8-arch1-1-surface x86_64.
# BITLK type from GUID: normal.
# Reading BITLK FVE metadata of size 112 on device /dev/nvme0n1p4, offset 317865984.
# Reading BITLK FVE metadata entries of size 1078 on device /dev/nvme0n1p4, offset 317866096.
Unexpected metadata entry value '24' found when parsing supported Volume Master Key.
Device /dev/nvme0n1p4 is not a valid BITLK device.
# Releasing crypt device /dev/nvme0n1p4 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/nvme0n1p4.
Command failed with code -1 (wrong or missing parameters).