{"id":15681768,"url":"https://github.com/mevdschee/bitlocker-luks-tools","last_synced_at":"2026-03-06T09:34:34.658Z","repository":{"id":41092379,"uuid":"325655478","full_name":"mevdschee/bitlocker-luks-tools","owner":"mevdschee","description":null,"archived":false,"fork":false,"pushed_at":"2023-07-31T10:24:06.000Z","size":3278,"stargazers_count":30,"open_issues_count":3,"forks_count":3,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-19T20:53:58.245Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mevdschee.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-12-30T21:54:09.000Z","updated_at":"2025-02-15T21:43:56.000Z","dependencies_parsed_at":"2024-11-09T09:02:04.070Z","dependency_job_id":"5eaa280a-69c5-4126-b143-07064cfa07ec","html_url":"https://github.com/mevdschee/bitlocker-luks-tools","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mevdschee%2Fbitlocker-luks-tools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mevdschee%2Fbitlocker-luks-tools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mevdschee%2Fbitlocker-luks-tools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mevdschee%2Fbitlocker-luks-tools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mevdschee","download_url":"https://codeload.github.com/mevdschee/bitlocker-luks-tools/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252854458,"owners_count":21814687,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-03T16:59:38.274Z","updated_at":"2026-03-06T09:34:29.616Z","avatar_url":"https://github.com/mevdschee.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Bitlocker and LUKS tools\n\nThe power of full disk encryption lies in that it is easy to understand and reason about. A key file on a USB drive is such a simple solution for which you can find tools and instructions in this repository.\n\n## create_usb.sh\n\nThis bash script ERASES everything on a USB drive and:\n\n- Creates a GUID partition table (GPT).\n- Adds a single EFI Startup Partition (ESP) on it.\n- Formats the ESP in FAT16 format.\n- Copies the \".BEK\" files from the \"keys\" folder (and subfolders) to the drive.\n- Copies the \".lek\" files from the \"keys\" folder (and subfolders) to the drive.\n\nDemo:\n\n![create_usb.sh screencast](create_usb.gif)\n\n## Windows 10 Pro - Bitlocker\n\nOn Windows the Trusted Platform Module (TPM) will hold your disk encryption keys and bind your disk to your motherboard. This TPM might get wiped on BIOS updates (especially on AMD where the TPM is virtual). You can avoid all this trouble this by disabling TPM in your computer's BIOS. If you do this then your disk is encrypted by the key file or passphrase (as expected). \n\nRead more: https://tqdev.com/2021-why-i-use-bitlocker-without-tpm\n\n### Configure Bitlocker without TPM\n\nTo configure Bitlocker without TPM, follow these steps:\n\n  - Disable TPM in your BIOS (very important!)\n  - Open the Local Group Policy Editor by pressing Windows+R.\n  - Type \"gpedit.msc\" into the Run dialog box, and press Enter.\n  - Navigate to Local Computer Policy \u003e Computer Configuration \u003e Administrative Templates \u003e Windows Components \u003e BitLocker Drive Encryption \u003e Operating System Drives in the left pane.\n  - Double-click the \"Require additional authentication at startup\" option in the right pane.\n  - Select \"Enabled\" at the top of the window, and ensure the \"Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)\" checkbox is enabled here.\n  - Click \"OK\" to save your changes.\n  - You can now close the Group Policy Editor window.\n  - Enable BitLocker and choose to use a startup key on a USB flash drive (BEK file).\n\nsource: https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/\n\n## Ubuntu 22.04 - LUKS\n\nOn Linux the TPM is not used. The key file or passphrase is enough to decrypt the drive (as expected).\n\n### Configure LUKS\n\nDuring the installation of Ubuntu you can choose to use LVM and encrypt the entire disk. During the installation you need to choose a passphrase. \n\n### generate_key.sh\n\nThis bash script creates keys for a LUKS enabled machine.\n\n- It generates a new UUID based key file.\n- It generates a new recovery key (passphrase).\n- It creates a bash script to install the LUKS keys.\n\nAfter installing and testing the newly added keys you may remove the initial passphrase (entered during installation) from slot 0.\n\n### Debugging (for development)\n\nIf your script in `/bin/luksunlockusb` contains an error you need to adjust it. \nTo do this boot a Live CD and read-write mount the unencrypted boot partition. \nCopy the `initrd.img` file to you Live CD Desktop folder and open a Terminal there.\n\nThen, expand current initramfs.\n\n    mkdir initrd\n    cd initrd\n    gzip -dc ../initrd.img | cpio -i\n\nAnd then, change as you like (especially `/bin/luksunlockusb`). After finishing your change, compress it to generate new initramfs using:\n\n    find . | cpio -H newc -o | gzip -9 \u003e ../initrd.img\n    \nNow you have the new initrd.img file that you want to write back to you boot partition (overwrite the existing one).    \n\nSee also: https://tqdev.com/2023-luks-recovery-from-initramfs-shell\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmevdschee%2Fbitlocker-luks-tools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmevdschee%2Fbitlocker-luks-tools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmevdschee%2Fbitlocker-luks-tools/lists"}