# How to Access LUKS-Encrypted Drives on Windows

This guide provides step-by-step instructions on how to install Windows Subsystem for Linux 2 (WSL 2), set up Debian, and mount LUKS-encrypted drives on a Windows system.

## Prerequisites
- A **LUKS-encrypted drive** that you want to access.
- **Windows 10 (version 2004 and later) or Windows 11** with support for WSL 2.
- Administrator privileges on your Windows system.
- **Basic knowledge of command-line operations** in PowerShell and Linux.

## Step 1: Install Windows Subsystem for Linux 2 (WSL 2)
Open **PowerShell as administrator** and run:
```powershell
wsl --install
```
If WSL 2 is already installed, ensure it is updated:
```powershell
wsl --update
```

🔗 [WSL 2 Installation Guide](https://learn.microsoft.com/en-us/windows/wsl/install)

## Step 2: Install Debian on WSL 2
Debian will be used to handle the LUKS-encrypted drive.

1. Open PowerShell as administrator.
2. Install Debian using the following command:
   ```powershell
   wsl --install -d Debian
   ```
3. Set a **username** and **password** for your Debian GNU/Linux installation when prompted.
4. If Debian is already installed, ensure it is updated:
   ```powershell
   wsl -d Debian --update
   ```

🔗 [Debian WSL Installation Guide](https://wiki.debian.org/InstallingDebianOn/Microsoft/Windows/SubsystemForLinux)

## Step 3: Identify Your LUKS-Encrypted Drive in Windows
1. Open **PowerShell as Administrator**.
2. Run the following command to list all physical drives:
   ```powershell
   Get-CimInstance -query "SELECT * from Win32_DiskDrive"
   ```
3. Identify the LUKS-encrypted drive from the list.
   - Note down its **DeviceID** (e.g., `\\.\PHYSICALDRIVE4`).
   - Make sure you choose the correct drive to avoid mounting the wrong disk.

## Step 4: Mount the Drive in WSL 2
1. Use the following command in PowerShell to mount the drive in WSL 2 (**replace `<DeviceID>` with your actual DeviceID**):
   ```powershell
   wsl --mount <DeviceID> --bare
   ```
   - The `--bare` option ensures that WSL does not automatically attempt to mount file systems, which is necessary for LUKS-encrypted drives.

## **Step 5: Enter Debian on WSL 2**
1. Open **PowerShell as Administrator**.
2. Open Debian with the following command:
   ```powershell
   wsl -d Debian -u <username>
   ```
   - Replace `<username>` with the Linux user you created during Debian installation.
   - If you're unsure, you can try `wsl -d Debian` and switch users manually.

## **Step 6: Install Cryptsetup (If Not Installed)**
1. In Debian, install **cryptsetup**, which is required to unlock LUKS-encrypted drives:
   ```bash
   sudo apt update && sudo apt install cryptsetup
   ```

## **Step 7: Identify the LUKS-Encrypted Partition**
1. List all available partitions:
   ```bash
   sudo fdisk -l
   ```
2. Find the LUKS-encrypted partition.
   - Look for a **Linux partition** that is not automatically mounted.
   - Usually, it's something like `/dev/sda1`, `/dev/nvme0n1p1`, or `/dev/sdb1`.
   - **Do NOT use the whole drive (e.g., `/dev/sda`), only use the partition (e.g., `/dev/sda1`).**

    Example output:
    ```
    Device        Boot Start      End  Sectors  Size Id Type
    /dev/sda1     *     2048  499711  497664  243M 83 Linux
    ```
    In this case, the **LUKS partition** is `/dev/sda1`.

## **Step 8: Unlock the LUKS-Encrypted Drive**
1. Run the following command to decrypt the drive (**replace `<device>` with your partition and `<name>` with an arbitrary name**):
   ```bash
   sudo cryptsetup luksOpen <device> <name>
   ```
   - This will prompt you for the LUKS passphrase.

## **Step 9: Create a Mount Point**
1. Create a folder where the decrypted drive will be mounted (**replace `<folder>` an arbitrary folder name**):
   ```bash
   sudo mkdir -p /mnt/<folder>
   ```

## **Step 10: Mount the Decrypted Volume**
1. Mount the decrypted LUKS volume to the before created folder:
   ```bash
   sudo mount /dev/mapper/<name> /mnt/<folder>
   ```
2. Check if the drive is accessible:
   ```bash
   ls /mnt/<folder>
   ```
3. The contents of the decrypted LUKS drive should now be visible.

## **Step 11: Access the Drive from Windows Explorer**
1. Open **Windows Explorer** and navigate to:
   ```
   \\wsl.localhost\Debian\mnt\<folder>
   ```
   You should see the decrypted contents of your LUKS drive.

## **Step 12: Unmounting and Locking the Drive**
When you are done, it's important to unmount and lock the drive securely.

1. **Unmount the drive**:
   ```bash
   sudo umount /mnt/<folder>
   ```
   
2. **Close the LUKS device**:
   ```bash
   sudo cryptsetup luksClose <name>
   ```

3. **Unmount the drive from WSL** in PowerShell:
   ```powershell
   wsl --unmount <DeviceID>
   ```