Issue opening volume (tweak key value too small)

[DeKe42]

I am experiencing difficulties with libbde (and by extension, plaso) when opening a Bitlocker-encrypted partition. In fact, the same problem occurs with both encrypted partitions on the drive.

Without giving a recovery key, bdeinfo prints the following:

[root@machine ewfmount]# bdeinfo -o 1047527424 ewf1 
bdeinfo 20180929

BitLocker Drive Encryption information:
    Encryption method       : AES-XTS 256-bit
    Volume identifier       : <redacted>
    Creation time           : Aug 09, 2018 11:35:38.295965800 UTC
    Description         : <redacted> SYSTEM 9. 8. 2018
    Number of key protectors    : 12

<Key identifiers>*12

When I supply the (verified correct) recovery key, I get:

[root@machine ewfmount]# bdeinfo -o 1047527424 -r <Redacted> ewf1 
bdeinfo 20180929

Unable to open: ewf1.
libbde_encryption_set_keys: invalid tweak key value too small.
libbde_volume_open_read_keys_from_metadata: unable to set keys in encryption context.
libbde_volume_open_read: unable to read keys from primary metadata.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.

Unfortunately I cannot supply the image. I can correctly mount and open the volume on a Windows 10 machine, but not on a Windows 7 machine.

Is there anything I can do to help locate the issue?

[joachimmetz]

Is there anything I can do to help locate the issue?

This could be an unsupported format feature. There are multiple ways to help

• See if you can create a test image that you can share that contains the same issue
• provide me with format debug output (also see https://github.com/libyal/libbde/wiki/Troubleshooting#verbose-and-debug-output)

[joachimmetz]

I think I've located the issue and made some changes https://github.com/libyal/libbde/commit/e35e6723e3e79a28fcde1874f1e16387ac8349f5