[File] Magic for AES encrypted data *.aes

Jörg Jenderek joerg.jen.der.ek at gmx.net
Tue Aug 18 11:45:32 UTC 2020

Hash: SHA1

some days ago i backup files with software duplicati.
This can optional encrypt the backup with AES. Then the backup
files have "aes" as file name extension.
When running file command version 5.39 on such backups these are
described as "data".

For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). This identifies such
samples as AES Crypt encrypted. It list with -v option the related
URL pointing to used file format information.

So it becomes clear that a library/tool AESCrypt is used to easily
and securely encrypt the backup files with industry standard Advanced
Encryption Standard (AES). So last information is now expressed by
comment line like
 # URL:	https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Information about this AES File Format is found on AES Crypt web
site. That is expressed by reference URL like:
 # Reference:	https://www.aescrypt.com/aes_file_format.html

According to reference such aes-files start with 3 byte string AES.
Following is byte containing version in range from 0 to 2. This is
expressed by lines like:
 0	string		AES
 >3	ubyte		<3	AES encrypted data, version %u
 !:ext	aes
 !:mime	application/x-aes-encrypted
The Windows GUI application register application/aes as mime type,
but that is not officially registered at IANA. So i choose a user
defined one.

For Version 2 the encrypted file can have text tags like CREATED_BY.
The value for this tag contains string of software product,
manufacturer like examples "SharpAESCrypt v1.3.3.0", "aescrypt
(Windows GUI) 3.10" or "aescrypt 3.14". This is shown by lines like:
 >>3	ubyte		=2
 >>>7	string		CREATED_BY	\b, created by
 >>>>&1	string		x		"%s"

After applying the above mentioned modifications by magic lines
appended as file-5.39-aes.txt then i get an output like:

aes-java.aes:         AES encrypted data,
		      version 2
duplicati-foobar.aes: AES encrypted data,
		      version 2, created by
		      "SharpAESCrypt v1.3.3.0"
hello_world.aes:      AES encrypted data,
		      version 2, created by
		      "aescrypt 3.05"
lmhosts.sam.aes:      AES encrypted data,
		      version 2, created by
		      "aescrypt (Windows GUI) 3.10"
lmhosts.txt.aes:      AES encrypted data,
		      version 2, created by
		      "aescrypt 3.10"

I hope my magic lines file can be applied in future version of
file utility.

With best wishes
Jörg Jenderek
- --
Jörg Jenderek

Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

-------------- next part --------------

# Summary:	AES Crypt Encrypted Data File
# From:		Joerg Jenderek
# URL:		https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
# Reference:	https://www.aescrypt.com/aes_file_format.html
0	string		AES	
>3	ubyte		<3		AES encrypted data, version %u
#!:mime	application/aes
!:mime	application/x-aes-encrypted
!:ext	aes
# For Version 2 the encrypted file can have text tags
>>3	ubyte		=2
# length of an extension identifier and contents like: 0 24 33 38
#>>5	ubeshort	x		\b, tag length %u
#>>5	pstring/H	x		'%s'
# standard extension tags like CREATED_BY
>>>7	string		CREATED_BY	\b, created by
# software product, manufacturer like "SharpAESCrypt v1.3.3.0" "aescrypt (Windows GUI) 3.10" ...
>>>>&1	string		x		"%s"
# TODO: more other tags

-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.39-aes.txt.sig
Type: application/octet-stream
Size: 95 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20200818/92a0a46f/attachment.obj>

More information about the File mailing list