blog/content/posts/2024/08/decrypting-an-encrypted-dmg/index.md

+++
title = "Decrypting an Encrypted .dmg"
summary = "How to unlock an encrypted .dmg on Linux (knowing the password)"
date = "2024-08-13"

tags = ["Encryption", "Apple", ".dmg", "Linux"]
categories = ["Tutorial"]
+++

I recently got a USB stick containing an encrypted `.dmg` file with some files
I was interested in. The owner of the USB stick gave me the password so that I
could access the files.

The problem is: **I don't own a Mac**.

So, since I am a proud **GNU/Linux** user and don't want to create a MacOS VM
(even though it seems to be [quite
easy](https://nicksherlock.com/2022/10/installing-macos-13-ventura-on-proxmox/)
on **Proxmox**), I decided to try to open the encrypted file with some
utilities and some hard work.

## What is a DMG?

For those interested: <https://en.wikipedia.org/wiki/Apple_Disk_Image>

For the other lazy people like me: a DMG file is a proprietary file format from
Apple, used to distribute and install apps on MacOS, but it can also contain
other things, such as a file system.

The interesting thing for me is that a DMG file can be encrypted with
**AES-128** or **AES-256**.

During my research for writing this article (of course only after spending a
good hour trying to open the file), I came across an article by another person
interested in encrypted DMGs who concluded by saying:

> #### Conclusion
>
> I wrote this post because it is too complicated (not hard, **complicated**)
> to deal with an encrypted dmg image on another OS than MacOS.

I leave the link to the excellent article here:
<https://talebyanis.github.io/posts/how-to-deal-with-encrypted-dmg-files>

I completely agree: it seems that Apple has done everything possible to make it
impossible to open this file without having a Mac.

## Decrypting an Encrypted DMG

The first thing I did to analyze the file I was working on with was to use the
[*file*](https://www.man7.org/linux/man-pages/man1/file.1.html) utility, which
gave poor results:

```shell
$ file encrypted.dmg 
encrypted.dmg: data
```

*No shit, Sherlock!*

Using the `xxd` command, we can get more clues about the file:

```shell
$ xxd encrypted.dmg | head -n 5
00000000: 656e 6372 6364 7361 0000 0002 0000 0010  encrcdsa........
00000010: 0000 0005 8000 0001 0000 0080 0000 005b  ...............[
00000020: 0000 00a0 ecdb 2a00 e3a5 43a7 b839 0ebb  ......*...C..9..
00000030: 18ec 7107 0000 0200 0000 0000 6d70 0800  ..q.........mp..
00000040: 0000 0000 0001 de00 0000 0001 0000 0001  ................
```

A quick search on DuckDuckGo for "*encrcdsa*" yields a few results, including
the post I mentioned in the [previous chapter](#what-is-a-dmg).

Even without using a search engine, we can understand that the file is
encrypted and we need to find a way to decrypt it.

Searching the Internet with queries like "*linux dmg decrypt*" can yield many
answers, among which stand out:

1. Use [7zip](https://7-zip.org): it can't handle encrypted DMGs;
2. Use [dmg2img](https://github.com/Lekensteyn/dmg2img): it can't handle
   encrypted DMGs;

I searched for a while until I found
[dmgwiz](https://github.com/citruz/dmgwiz), a tool written in Rust (***Rust
FTW!***) that started as a clone of `dmg2img` but allows, among other things,
to read encrypted DMGs!

---

To use `dmgwiz`, you first need to download the binary from the [Releases
page](https://github.com/citruz/dmgwiz/releases/latest) of the project's GitHub
page.

After that, we can decrypt our DMG with the following command:

```shell
$ ./dmgwiz.elf encrypted.dmg -p "<password>" decrypt -o output.dmg
1836058624 bytes written
```

**Hurray!** We managed to decrypt the DMG.

## Extracting the Files

The size of the decrypted file corresponds roughly to the size of the encrypted
file, but if we try to get more information about the DMG using `dmgwiz`, we
get an error:

```shell
$ ./dmgwiz.elf output.dmg info
error: could not read input file - could not parse koly header
```

This means that the first 4 bytes of our file do not correspond to the [magic
number](https://en.wikipedia.org/wiki/File_format#Magic_number) of the DMG
file.

If we try to discover the type of file with the `file` utility we find out
that...

```shell
$ file output.dmg 
output.dmg: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1, 3586051 sectors, extended partition table (last)
```

It's a file system... *Interesting...*

Using `fdisk`, we can discover that the file system in question is
[APFS](https://en.wikipedia.org/wiki/Apple_File_System), a proprietary file
system from Apple optimized for SSDs and used as the default on MacOS since the
Sierra version.

```shell
$ fdisk -l output.dmg 
Disk output.dmg: 1.71 GiB, 1836058624 bytes, 3586052 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 8ABB68ED-8C96-425B-B615-36926AC40D4C

Device      Start     End Sectors  Size Type
output.dmg1    40 3586015 3585976  1.7G Apple APFS
```

To mount this file system and extract the files, we can use a FUSE driver for
APFS: [apfs-fuse](https://github.com/sgan81/apfs-fuse); it can be found in the
repositories of your distribution.

Once installed, we can use it to mount our file system:

```shell
$ mkdir files/
$ apfs-fuse output.dmg files/
```

Finally, we can verify that everything has been mounted correctly with:

```shell
$ mount | tail -n 1
output.dmg on /home/user/files type fuse (ro,nosuid,nodev,relatime,user_id=1000,group_id=1000)
$ ls files/
private-dir  root
```

## *Post-scriptum*

After writing the entire article, I tried out of curiosity to mount the
encrypted archive directly with `apfs-fuse`, and it worked.

So if you know that the content of the DMG is an APFS file system, you can
directly use `apfs-fuse` without going through `dmgwiz`.

## Conclusion

I decided to write this post because, as already stated by
[talebyanis](https://talebyanis.github.io/), opening an encrypted DMG on
something other than MacOS is complicated (not hard, **complicated**).

I hope I have been helpful to the very few people who are facing the same
problem as me.
Added an article 2024-08-13 23:05:17 +02:00			`+++`
			`title = "Decrypting an Encrypted .dmg"`
			`summary = "How to unlock an encrypted .dmg on Linux (knowing the password)"`
			`date = "2024-08-13"`

			`tags = ["Encryption", "Apple", ".dmg", "Linux"]`
			`categories = ["Tutorial"]`
			`+++`

			I recently got a USB stick containing an encrypted `.dmg` file with some files
			`I was interested in. The owner of the USB stick gave me the password so that I`
			`could access the files.`

			`The problem is: I don't own a Mac.`

			`So, since I am a proud GNU/Linux user and don't want to create a MacOS VM`
			`(even though it seems to be [quite`
			`easy](https://nicksherlock.com/2022/10/installing-macos-13-ventura-on-proxmox/)`
			`on Proxmox), I decided to try to open the encrypted file with some`
			`utilities and some hard work.`

			`## What is a DMG?`

			`For those interested: <https://en.wikipedia.org/wiki/Apple_Disk_Image>`

			`For the other lazy people like me: a DMG file is a proprietary file format from`
			`Apple, used to distribute and install apps on MacOS, but it can also contain`
			`other things, such as a file system.`

			`The interesting thing for me is that a DMG file can be encrypted with`
			`AES-128 or AES-256.`

			`During my research for writing this article (of course only after spending a`
			`good hour trying to open the file), I came across an article by another person`
			`interested in encrypted DMGs who concluded by saying:`

			`> #### Conclusion`
			`>`
			`> I wrote this post because it is too complicated (not hard, complicated)`
			`> to deal with an encrypted dmg image on another OS than MacOS.`

			`I leave the link to the excellent article here:`
			`<https://talebyanis.github.io/posts/how-to-deal-with-encrypted-dmg-files>`

			`I completely agree: it seems that Apple has done everything possible to make it`
			`impossible to open this file without having a Mac.`

			`## Decrypting an Encrypted DMG`

			`The first thing I did to analyze the file I was working on with was to use the`
			`[file](https://www.man7.org/linux/man-pages/man1/file.1.html) utility, which`
			`gave poor results:`

			```shell
			`$ file encrypted.dmg`
			`encrypted.dmg: data`
			```

			`No shit, Sherlock!`

			Using the `xxd` command, we can get more clues about the file:

			```shell
			`$ xxd encrypted.dmg \| head -n 5`
			`00000000: 656e 6372 6364 7361 0000 0002 0000 0010 encrcdsa........`
			`00000010: 0000 0005 8000 0001 0000 0080 0000 005b ...............[`
			`00000020: 0000 00a0 ecdb 2a00 e3a5 43a7 b839 0ebb ......*...C..9..`
			`00000030: 18ec 7107 0000 0200 0000 0000 6d70 0800 ..q.........mp..`
			`00000040: 0000 0000 0001 de00 0000 0001 0000 0001 ................`
			```

			`A quick search on DuckDuckGo for "encrcdsa" yields a few results, including`
			`the post I mentioned in the [previous chapter](#what-is-a-dmg).`

			`Even without using a search engine, we can understand that the file is`
			`encrypted and we need to find a way to decrypt it.`

			`Searching the Internet with queries like "linux dmg decrypt" can yield many`
			`answers, among which stand out:`

			`1. Use [7zip](https://7-zip.org): it can't handle encrypted DMGs;`
			`2. Use [dmg2img](https://github.com/Lekensteyn/dmg2img): it can't handle`
			`encrypted DMGs;`

			`I searched for a while until I found`
			`[dmgwiz](https://github.com/citruz/dmgwiz), a tool written in Rust (***Rust`
			FTW!***) that started as a clone of `dmg2img` but allows, among other things,
			`to read encrypted DMGs!`

			`---`

			To use `dmgwiz`, you first need to download the binary from the [Releases
			`page](https://github.com/citruz/dmgwiz/releases/latest) of the project's GitHub`
			`page.`

			`After that, we can decrypt our DMG with the following command:`

			```shell
			`$ ./dmgwiz.elf encrypted.dmg -p "<password>" decrypt -o output.dmg`
			`1836058624 bytes written`
			```

			`Hurray! We managed to decrypt the DMG.`

			`## Extracting the Files`

			`The size of the decrypted file corresponds roughly to the size of the encrypted`
			file, but if we try to get more information about the DMG using `dmgwiz`, we
			`get an error:`

			```shell
			`$ ./dmgwiz.elf output.dmg info`
			`error: could not read input file - could not parse koly header`
			```

			`This means that the first 4 bytes of our file do not correspond to the [magic`
			`number](https://en.wikipedia.org/wiki/File_format#Magic_number) of the DMG`
			`file.`

			If we try to discover the type of file with the `file` utility we find out
			`that...`

			```shell
			`$ file output.dmg`
			`output.dmg: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1, 3586051 sectors, extended partition table (last)`
			```

			`It's a file system... Interesting...`

			Using `fdisk`, we can discover that the file system in question is
			`[APFS](https://en.wikipedia.org/wiki/Apple_File_System), a proprietary file`
			`system from Apple optimized for SSDs and used as the default on MacOS since the`
			`Sierra version.`

			```shell
			`$ fdisk -l output.dmg`
			`Disk output.dmg: 1.71 GiB, 1836058624 bytes, 3586052 sectors`
			`Units: sectors of 1 * 512 = 512 bytes`
			`Sector size (logical/physical): 512 bytes / 512 bytes`
			`I/O size (minimum/optimal): 512 bytes / 512 bytes`
			`Disklabel type: gpt`
			`Disk identifier: 8ABB68ED-8C96-425B-B615-36926AC40D4C`

			`Device Start End Sectors Size Type`
			`output.dmg1 40 3586015 3585976 1.7G Apple APFS`
			```

			`To mount this file system and extract the files, we can use a FUSE driver for`
			`APFS: [apfs-fuse](https://github.com/sgan81/apfs-fuse); it can be found in the`
			`repositories of your distribution.`

			`Once installed, we can use it to mount our file system:`

			```shell
			`$ mkdir files/`
			`$ apfs-fuse output.dmg files/`
			```

			`Finally, we can verify that everything has been mounted correctly with:`

			```shell
			`$ mount \| tail -n 1`
			`output.dmg on /home/user/files type fuse (ro,nosuid,nodev,relatime,user_id=1000,group_id=1000)`
			`$ ls files/`
			`private-dir root`
			```

			`## Post-scriptum`

			`After writing the entire article, I tried out of curiosity to mount the`
			encrypted archive directly with `apfs-fuse`, and it worked.

			`So if you know that the content of the DMG is an APFS file system, you can`
			directly use `apfs-fuse` without going through `dmgwiz`.

			`## Conclusion`

			`I decided to write this post because, as already stated by`
			`[talebyanis](https://talebyanis.github.io/), opening an encrypted DMG on`
			`something other than MacOS is complicated (not hard, complicated).`

			`I hope I have been helpful to the very few people who are facing the same`
			`problem as me.`