dissect.hypervisor.util.envelope

Module Contents

Classes

Envelope	Implements an encryption envelope as used within ESXi.
KeyStore	Implements a file based keystore as used in ESXi.

Attributes

HAS_PYSTANDALONE
HAS_PYCRYPTODOME
c_def
c_envelope
FILE_HEADER_MAGIC
FOOTER_AEAD_MAGIC
FOOTER_CRYPTO_MAGIC
PBKDF2_SALT
ENVELOPE_BLOCK_SIZE
ENVELOPE_ATTRIBUTE_TYPE_MAP
DECRYPT_CHUNK_SIZE
EnvelopeAttribute

dissect.hypervisor.util.envelope.HAS_PYSTANDALONE = True

dissect.hypervisor.util.envelope.HAS_PYCRYPTODOME = True

dissect.hypervisor.util.envelope.c_def = Multiline-String

Show Value

"""
struct EnvelopeFileHeader {
    char    magic[21];
    char    _pad[483];
    uint32  size;
    uint32  version;
};

struct DataTransformAeadFooter {
    char    magic[23];
    char    _pad[9];
    char    data[4056];
    uint32  size;
    uint32  version;
};

struct DataTransformCryptoFooter {
    char    magic[25];
    char    _pad[479];
    uint32  padding;
    uint32  version;
};

enum AttributeType : uint8 {
    Invalid = 0x0,
    // These are guesses based on size and used attributes
    UInt8 = 0x1,
    UInt16 = 0x2,
    UInt32 = 0x3,
    UInt64 = 0x4,
    Int8 = 0x5,
    Int16 = 0x6,
    Int32 = 0x7,
    Int64 = 0x8,
    Float = 0x9,
    Double = 0xA,
    // These are certain
    String = 0xB,
    Bytes = 0xC
};
"""

dissect.hypervisor.util.envelope.c_envelope

dissect.hypervisor.util.envelope.FILE_HEADER_MAGIC = b'DataTransformEnvelope'

dissect.hypervisor.util.envelope.FOOTER_AEAD_MAGIC = b'DataTransformAeadFooter'

dissect.hypervisor.util.envelope.FOOTER_CRYPTO_MAGIC = b'DataTransformCryptoFooter'

dissect.hypervisor.util.envelope.PBKDF2_SALT = b'This is obfuscation, not encryption. If you want encryption, use TPM.'

dissect.hypervisor.util.envelope.ENVELOPE_BLOCK_SIZE = 4096

dissect.hypervisor.util.envelope.ENVELOPE_ATTRIBUTE_TYPE_MAP

dissect.hypervisor.util.envelope.DECRYPT_CHUNK_SIZE

dissect.hypervisor.util.envelope.EnvelopeAttribute

class dissect.hypervisor.util.envelope.Envelope(fh: BinaryIO)

Implements an encryption envelope as used within ESXi.

decrypt(key: bytes, aad: bytes = None) → bytes

Decrypt the data in this envelope.

Parameters:

• key – decryption key to use

• aad – optional associated data to include for AEAD ciphers

class dissect.hypervisor.util.envelope.KeyStore(store: Dict[str, str])

Implements a file based keystore as used in ESXi.

property id: str

property key: bytes

classmethod from_text(text: str)

Parse a key store from a string.

Parameters:

text – string to parse a key store from