I recently got a USB stick containing an encrypted .dmg file with some files
I was interested in. The owner of the USB stick gave me the password so that I
could access the files.
The problem is: I don’t own a Mac.
So, since I am a proud GNU/Linux user and don’t want to create a MacOS VM (even though it seems to be quite easy on Proxmox), I decided to try to open the encrypted file with some utilities and some hard work.
What is a DMG? #
For those interested: https://en.wikipedia.org/wiki/Apple_Disk_Image
For the other lazy people like me: a DMG file is a proprietary file format from Apple, used to distribute and install apps on MacOS, but it can also contain other things, such as a file system.
The interesting thing for me is that a DMG file can be encrypted with AES-128 or AES-256.
During my research for writing this article (of course only after spending a good hour trying to open the file), I came across an article by another person interested in encrypted DMGs who concluded by saying:
Conclusion #
I wrote this post because it is too complicated (not hard, complicated) to deal with an encrypted dmg image on another OS than MacOS.
I leave the link to the excellent article here: https://talebyanis.github.io/posts/how-to-deal-with-encrypted-dmg-files
I completely agree: it seems that Apple has done everything possible to make it impossible to open this file without having a Mac.
Decrypting an Encrypted DMG #
The first thing I did to analyze the file I was working on with was to use the file utility, which gave poor results:
$ file encrypted.dmg
encrypted.dmg: data
No shit, Sherlock!
Using the xxd command, we can get more clues about the file:
$ xxd encrypted.dmg | head -n 5
00000000: 656e 6372 6364 7361 0000 0002 0000 0010 encrcdsa........
00000010: 0000 0005 8000 0001 0000 0080 0000 005b ...............[
00000020: 0000 00a0 ecdb 2a00 e3a5 43a7 b839 0ebb ......*...C..9..
00000030: 18ec 7107 0000 0200 0000 0000 6d70 0800 ..q.........mp..
00000040: 0000 0000 0001 de00 0000 0001 0000 0001 ................
A quick search on DuckDuckGo for “encrcdsa” yields a few results, including the post I mentioned in the previous chapter.
Even without using a search engine, we can understand that the file is encrypted and we need to find a way to decrypt it.
Searching the Internet with queries like “linux dmg decrypt” can yield many answers, among which stand out:
I searched for a while until I found
dmgwiz, a tool written in Rust (Rust
FTW!) that started as a clone of dmg2img but allows, among other things,
to read encrypted DMGs!
To use dmgwiz, you first need to download the binary from the Releases
page of the project’s GitHub
page.
After that, we can decrypt our DMG with the following command:
$ ./dmgwiz.elf encrypted.dmg -p "<password>" decrypt -o output.dmg
1836058624 bytes written
Hurray! We managed to decrypt the DMG.
Extracting the Files #
The size of the decrypted file corresponds roughly to the size of the encrypted
file, but if we try to get more information about the DMG using dmgwiz, we
get an error:
$ ./dmgwiz.elf output.dmg info
error: could not read input file - could not parse koly header
This means that the first 4 bytes of our file do not correspond to the magic number of the DMG file.
If we try to discover the type of file with the file utility we find out
that…
$ file output.dmg
output.dmg: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1, 3586051 sectors, extended partition table (last)
It’s a file system… Interesting…
Using fdisk, we can discover that the file system in question is
APFS, a proprietary file
system from Apple optimized for SSDs and used as the default on MacOS since the
Sierra version.
$ fdisk -l output.dmg
Disk output.dmg: 1.71 GiB, 1836058624 bytes, 3586052 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 8ABB68ED-8C96-425B-B615-36926AC40D4C
Device Start End Sectors Size Type
output.dmg1 40 3586015 3585976 1.7G Apple APFS
To mount this file system and extract the files, we can use a FUSE driver for APFS: apfs-fuse; it can be found in the repositories of your distribution.
Once installed, we can use it to mount our file system:
$ mkdir files/
$ apfs-fuse output.dmg files/
Finally, we can verify that everything has been mounted correctly with:
$ mount | tail -n 1
output.dmg on /home/user/files type fuse (ro,nosuid,nodev,relatime,user_id=1000,group_id=1000)
$ ls files/
private-dir root
Post-scriptum #
After writing the entire article, I tried out of curiosity to mount the
encrypted archive directly with apfs-fuse, and it worked.
So if you know that the content of the DMG is an APFS file system, you can
directly use apfs-fuse without going through dmgwiz.
Conclusion #
I decided to write this post because, as already stated by talebyanis, opening an encrypted DMG on something other than MacOS is complicated (not hard, complicated).
I hope I have been helpful to the very few people who are facing the same problem as me.