Prevent VM to be copied/cloned to other computers

[jof2jc]

Hi everyone,

As we all know, users can easily take a VDI and load it on another computer.

I am looking for a way to prevent that. I'm thinking at least... when they want to clone the vdi to another computer, then they have to put 'password'.

Is this possible within VirtualBox for such management? Is there encryption or other security methods provided to achieve this?

Thanks

[Perryg]

http://www.virtualbox.org/manual/ch09.h ... encryption

[noteirak]

VirtualBox 5.0 has a disk encryption feature (with the extension pack). The data required to decrypt the disk are not stored within the file, so one cannot just copy the file. same for export.

[loukingjr]

Just to clarify a couple things, you can export an encrypted VM. VirtualBox will just decrypt it first.

Exporting appliances which contain encrypted disk images is not possible because the OVF specification doesn't support this. All images are therefore decrypted during export.

You can also copy the entire VM folder but you would still need the password to decrypt it.

Either way you would need the password.

[jof2jc]

you can export an encrypted VM. VirtualBox will just decrypt it first.

I assume that exported .OVA is not encrypted anymore

Just want to clarify this... when user tries to import OVA on other computer, they will still need to provide password or not?

[loukingjr]

You can't export an encrypted VM without knowing the password in the first place. The resulting .ova would not be encrypted because as I just posted…

Exporting appliances which contain encrypted disk images is not possible because the OVF specification doesn't support this..

[noteirak]

indeed, I confused with a cloning limitation. See relevant topic

[jof2jc]

I just saw in v5, user can easily set new password for encrypted VM...so they can still take copy of VM folder and load it into another computers..

I think there must be old password confirmation to renew the password???

[jof2jc]

I think for my use-case, I would need to use something else ... maybe windows bit-locker?

[noteirak]

I think there must be old password confirmation to renew the password???

Yes, they still need the password

[mpack]

In direct answer to the question: you can "clone" a VM to another computer simply by copying the VM folder. So, if the user has access to the VM folder then there is no way to physically prevent this.

Encryption would ensure that any such copy is useless. However, encryption carries its own risks - mainly that a rather nasty failure mode has been added. I.e. if you forget the password then you are way out of luck, no matter how many backups you have. In this scenario you would be begging your VM thief to give a copy back to you! I'm already beginning to see the problem reports: "I wanted to find out what encryption did... - it randomizes the hdd contents!" (well yes, that's kinda the point). It's going to be most fun with those guys who routinely share disks between VMs, if one VM uses encryption and the other doesn't. Or how about if the VM uses snapshots and the password has been changed somewhere in the snapshot chain. I shudder to think about the weird problems that are going to appear on these forums in the next couple of years.

[jof2jc]

I haven't been able to test encryption capability in v5 due to other technical issue I'm facing..

As long as they have to provide password, then as you said...I think its useless even they can take copy of VM folder. For me, It doesn't matter if they can carry VM folder as long as it's encrypted.

jof2jc wrote:
I think there must be old password confirmation to renew the password???

Yes, they still need the password

This has confirmed me so far to fulfill the goal...anyway, I'll give a test later.

If it doesn't work then I have to consider something else like Bitlocker. But I prefer VM encryption first rather than encrypting entire disk.

[noteirak]

But I prefer VM encryption first rather than encrypting entire disk.

VirtualBox encryption does not encrypt the VM config, it encrypts the disk, just like bitlocker!

[jof2jc]

When a VM is encrypted then it prompt for password on every start-up. Can we set it auto-logon?
But if the VMfolder is copied/cloned to another computer then it shall prompt for password..

[mpack]

It isn't a login, it's a decryption. Quite separate from the guest OS login (if any). And storing the decryption key anywhere is a big no-no. So no, it can't be done automatically.