VMware VMX Crypto Module for Python 3
VMware VMX configuration files are encrypted when the virtual machine is encrypted, too. Making specific changes by hand to these files was not possible until the user fully decrypted the virtual machine (including all virtual disks) and, after the modification was done, re-encrypted the whole virtual machine again. Until this little module was written, which implements the methods to decrypt and encrypt the configuration data.
The pycryptodome Module is used, so it must be installed like this:
pip install pycryptodome
Currently there's no installation procedure. All you have to do is to import the class VMwareVMX with a line like this:
from vmwarevmx import VMwareVMX
vmwarevmx.py
implements the VMwareVMX class with methods decrypt and encrypt.
main.py
is a command line interface to decrypt/encrypt VMware VMX
configuration files and to add and/or remove lines. It also serves as an
example on how to use the VMwareVMX class.
./main.py -h
Usage: main.py [-cdefgGhinv] [-a file] [-D name] [-p password] [-r file] [-x value] in_file [out_file]
-a, --add decrypt, add line(s) from file and encrypt in_file
-c, --change change password
-d, --decrypt decrypt in_file (default)
-D, --displayname set the displayname for encrypted configuration
-e, --encrypt encrypt in_file
-f, --force force overwriting out_file
-g, --guestos set the guestOS parameter
-G, --guestinfo set the guestInfo parameter
-h, --help display this message
-i, --ignore ignore some errors preventing decryption of a corrupted in_file
-n, --new after decrypt, use new parameters for encrypt
-p, --password set the password (default: ask for it)
-r, --remove decrypt, remove line(s) found in file and encrypt in_file
-v, --version print the version string and exit
-x, --hashrounds used for the number of hash rounds of the encryption key (default: 10,000)
-1, --aes encrypt with old AES-256 algorithm
-2, --xts encrypt with new XTS-AES-256 algorithm
./main.py old.vmx
Will ask for the password, decrypts the VMX file old.vmx and writes the result directly to stdout.
./main.py -e -D "Windows 10" -p test1234 old.vmx new.vmx
Encrypts the VMX file old.vmx with password test1234
, adds the display
name "Windows 10" to the config file and writes the result to new.vmx. If
new.vmx already exists, it's not overwritten. Add -f or --force to do so.
./main.py -a add.txt -r remove.txt old.vmx new.vmx
Will ask for the password, decrypts the VMX file old.vmx, removes all the lines that can be found in remove.txt from the configuration, adds new lines from add.txt, encrypts the result and writes the configuration to new.vmx, overwriting an already existing new.vmx file. The keys and parameters used for encryption are identical to those used in the encrypted file old.vmx, which means that the encryption.keySafe line is the same in old.vmx and new.vmx. To use completely new keys and encryption parameters, add -n or --new to the options.
./main.py -c old.vmx new.vmx
This asks for the old password if not already given with the -p option and then asks twice for the new password. If the new passwords match, the new password is used for new.vmx.
1.0.7:
- Fixed password bug in main.py (-p option didn't work anymore) which was introduced with 1.0.6. Thanks to RomanKrylov for noticing me.
- Added two new options (-1, --aes and -2, --xts) for selecting the encryption algorithm. This allows both upgrading and downgrading.
- Fixed an issue with the VMwareVMX class which forgot to reset the config key used to encrypt the configuration when the encryption algorithm was changed
1.0.6:
- Added support for new XTS-AES-256 algorithm introduced with VMware Workstation 17.5 and VMware Fusion 13.5 (which is in fact not the real XTS-AES algorithm). Thanks to mroi for most of the work.
- Python 2 support has been removed
1.0.5:
- New option -G (or --guestinfo) defines the guestInfo parameter.
- Added public attribute "hash_rounds" with the number of hash rounds used for the PBKDF2-HMAC-SHA-1 hashing algorithm.
1.0.4:
- Fix: Added UTF-8 encoding on file encryption (thanks Knoxberg)
- Added password change and guestos options:
- New option -c (or --change) allows one to change the password of a VMX file without shutting down and restarting the client machine.
- New option -g (or --guestos) defines the guestOS parameter.
- Wrong password during decryption now results in a correct error message.
1.0.3:
- Fix: Do not add "None" to output file if guestOSdetaileddata is empty (thanks jbl42)
1.0.2:
- Added -i (--ignore) option to be able to open a corrupted .vmx file by ignoring some errors happening during decryption. Due to the nature of the AES encryption, this only works up to the point where the file got corrupted. If it's in the beginning, not much of it will be recovered.
- Replaced pad() function with Crypto.Util.Padding.pad() and fixed the error of padding before encoding. Thanks to mroi.
Written 2018-2024 by Robert Federle [email protected]