+++ title = "Decrypting an Encrypted .dmg" summary = "How to unlock an encrypted .dmg on Linux (knowing the password)" date = "2024-08-13" tags = ["Encryption", "Apple", ".dmg", "Linux"] categories = ["Tutorial"] +++ I recently got a USB stick containing an encrypted `.dmg` file with some files I was interested in. The owner of the USB stick gave me the password so that I could access the files. The problem is: **I don't own a Mac**. So, since I am a proud **GNU/Linux** user and don't want to create a MacOS VM (even though it seems to be [quite easy](https://nicksherlock.com/2022/10/installing-macos-13-ventura-on-proxmox/) on **Proxmox**), I decided to try to open the encrypted file with some utilities and some hard work. ## What is a DMG? For those interested: For the other lazy people like me: a DMG file is a proprietary file format from Apple, used to distribute and install apps on MacOS, but it can also contain other things, such as a file system. The interesting thing for me is that a DMG file can be encrypted with **AES-128** or **AES-256**. During my research for writing this article (of course only after spending a good hour trying to open the file), I came across an article by another person interested in encrypted DMGs who concluded by saying: > #### Conclusion > > I wrote this post because it is too complicated (not hard, **complicated**) > to deal with an encrypted dmg image on another OS than MacOS. I leave the link to the excellent article here: I completely agree: it seems that Apple has done everything possible to make it impossible to open this file without having a Mac. ## Decrypting an Encrypted DMG The first thing I did to analyze the file I was working on with was to use the [*file*](https://www.man7.org/linux/man-pages/man1/file.1.html) utility, which gave poor results: ```shell $ file encrypted.dmg encrypted.dmg: data ``` *No shit, Sherlock!* Using the `xxd` command, we can get more clues about the file: ```shell $ xxd encrypted.dmg | head -n 5 00000000: 656e 6372 6364 7361 0000 0002 0000 0010 encrcdsa........ 00000010: 0000 0005 8000 0001 0000 0080 0000 005b ...............[ 00000020: 0000 00a0 ecdb 2a00 e3a5 43a7 b839 0ebb ......*...C..9.. 00000030: 18ec 7107 0000 0200 0000 0000 6d70 0800 ..q.........mp.. 00000040: 0000 0000 0001 de00 0000 0001 0000 0001 ................ ``` A quick search on DuckDuckGo for "*encrcdsa*" yields a few results, including the post I mentioned in the [previous chapter](#what-is-a-dmg). Even without using a search engine, we can understand that the file is encrypted and we need to find a way to decrypt it. Searching the Internet with queries like "*linux dmg decrypt*" can yield many answers, among which stand out: 1. Use [7zip](https://7-zip.org): it can't handle encrypted DMGs; 2. Use [dmg2img](https://github.com/Lekensteyn/dmg2img): it can't handle encrypted DMGs; I searched for a while until I found [dmgwiz](https://github.com/citruz/dmgwiz), a tool written in Rust (***Rust FTW!***) that started as a clone of `dmg2img` but allows, among other things, to read encrypted DMGs! --- To use `dmgwiz`, you first need to download the binary from the [Releases page](https://github.com/citruz/dmgwiz/releases/latest) of the project's GitHub page. After that, we can decrypt our DMG with the following command: ```shell $ ./dmgwiz.elf encrypted.dmg -p "" decrypt -o output.dmg 1836058624 bytes written ``` **Hurray!** We managed to decrypt the DMG. ## Extracting the Files The size of the decrypted file corresponds roughly to the size of the encrypted file, but if we try to get more information about the DMG using `dmgwiz`, we get an error: ```shell $ ./dmgwiz.elf output.dmg info error: could not read input file - could not parse koly header ``` This means that the first 4 bytes of our file do not correspond to the [magic number](https://en.wikipedia.org/wiki/File_format#Magic_number) of the DMG file. If we try to discover the type of file with the `file` utility we find out that... ```shell $ file output.dmg output.dmg: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1, 3586051 sectors, extended partition table (last) ``` It's a file system... *Interesting...* Using `fdisk`, we can discover that the file system in question is [APFS](https://en.wikipedia.org/wiki/Apple_File_System), a proprietary file system from Apple optimized for SSDs and used as the default on MacOS since the Sierra version. ```shell $ fdisk -l output.dmg Disk output.dmg: 1.71 GiB, 1836058624 bytes, 3586052 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: 8ABB68ED-8C96-425B-B615-36926AC40D4C Device Start End Sectors Size Type output.dmg1 40 3586015 3585976 1.7G Apple APFS ``` To mount this file system and extract the files, we can use a FUSE driver for APFS: [apfs-fuse](https://github.com/sgan81/apfs-fuse); it can be found in the repositories of your distribution. Once installed, we can use it to mount our file system: ```shell $ mkdir files/ $ apfs-fuse output.dmg files/ ``` Finally, we can verify that everything has been mounted correctly with: ```shell $ mount | tail -n 1 output.dmg on /home/user/files type fuse (ro,nosuid,nodev,relatime,user_id=1000,group_id=1000) $ ls files/ private-dir root ``` ## *Post-scriptum* After writing the entire article, I tried out of curiosity to mount the encrypted archive directly with `apfs-fuse`, and it worked. So if you know that the content of the DMG is an APFS file system, you can directly use `apfs-fuse` without going through `dmgwiz`. ## Conclusion I decided to write this post because, as already stated by [talebyanis](https://talebyanis.github.io/), opening an encrypted DMG on something other than MacOS is complicated (not hard, **complicated**). I hope I have been helpful to the very few people who are facing the same problem as me.