Prevent VM to be copied/cloned to other computers
Prevent VM to be copied/cloned to other computers
Hi everyone,
As we all know, users can easily take a VDI and load it on another computer.
I am looking for a way to prevent that. I'm thinking at least... when they want to clone the vdi to another computer, then they have to put 'password'.
Is this possible within VirtualBox for such management? Is there encryption or other security methods provided to achieve this?
Thanks
As we all know, users can easily take a VDI and load it on another computer.
I am looking for a way to prevent that. I'm thinking at least... when they want to clone the vdi to another computer, then they have to put 'password'.
Is this possible within VirtualBox for such management? Is there encryption or other security methods provided to achieve this?
Thanks
-
- Site Moderator
- Posts: 5229
- Joined: 13. Jan 2012, 11:14
- Primary OS: Debian other
- VBox Version: OSE Debian
- Guest OSses: Debian, Win 2k8, Win 7
- Contact:
Re: Prevent VM to be copied/cloned to other computers
VirtualBox 5.0 has a disk encryption feature (with the extension pack). The data required to decrypt the disk are not stored within the file, so one cannot just copy the file. same for export.
Hyperbox - Virtual Infrastructure Manager - https://apps.kamax.lu/hyperbox/
Manage your VirtualBox infrastructure the free way!
Manage your VirtualBox infrastructure the free way!
-
- Volunteer
- Posts: 8851
- Joined: 30. Apr 2009, 09:45
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: just about all that run
Re: Prevent VM to be copied/cloned to other computers
Just to clarify a couple things, you can export an encrypted VM. VirtualBox will just decrypt it first.
Either way you would need the password.
You can also copy the entire VM folder but you would still need the password to decrypt it.Exporting appliances which contain encrypted disk images is not possible because the OVF specification doesn't support this. All images are therefore decrypted during export.
Either way you would need the password.
OSX, Linux and Windows Hosts & Guests
There are three groups of people. Those that can count and those that can't.
There are three groups of people. Those that can count and those that can't.
Re: Prevent VM to be copied/cloned to other computers
I assume that exported .OVA is not encrypted anymoreloukingjr wrote:you can export an encrypted VM. VirtualBox will just decrypt it first.
Just want to clarify this... when user tries to import OVA on other computer, they will still need to provide password or not?
-
- Volunteer
- Posts: 8851
- Joined: 30. Apr 2009, 09:45
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: just about all that run
Re: Prevent VM to be copied/cloned to other computers
You can't export an encrypted VM without knowing the password in the first place. The resulting .ova would not be encrypted because as I just posted…
Exporting appliances which contain encrypted disk images is not possible because the OVF specification doesn't support this..
OSX, Linux and Windows Hosts & Guests
There are three groups of people. Those that can count and those that can't.
There are three groups of people. Those that can count and those that can't.
-
- Site Moderator
- Posts: 5229
- Joined: 13. Jan 2012, 11:14
- Primary OS: Debian other
- VBox Version: OSE Debian
- Guest OSses: Debian, Win 2k8, Win 7
- Contact:
Re: Prevent VM to be copied/cloned to other computers
indeed, I confused with a cloning limitation. See relevant topic
Hyperbox - Virtual Infrastructure Manager - https://apps.kamax.lu/hyperbox/
Manage your VirtualBox infrastructure the free way!
Manage your VirtualBox infrastructure the free way!
Re: Prevent VM to be copied/cloned to other computers
I just saw in v5, user can easily set new password for encrypted VM...so they can still take copy of VM folder and load it into another computers..
I think there must be old password confirmation to renew the password???
I think there must be old password confirmation to renew the password???
Re: Prevent VM to be copied/cloned to other computers
I think for my use-case, I would need to use something else ... maybe windows bit-locker?
-
- Site Moderator
- Posts: 5229
- Joined: 13. Jan 2012, 11:14
- Primary OS: Debian other
- VBox Version: OSE Debian
- Guest OSses: Debian, Win 2k8, Win 7
- Contact:
Re: Prevent VM to be copied/cloned to other computers
Yes, they still need the passwordjof2jc wrote:I think there must be old password confirmation to renew the password???
Hyperbox - Virtual Infrastructure Manager - https://apps.kamax.lu/hyperbox/
Manage your VirtualBox infrastructure the free way!
Manage your VirtualBox infrastructure the free way!
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: Prevent VM to be copied/cloned to other computers
In direct answer to the question: you can "clone" a VM to another computer simply by copying the VM folder. So, if the user has access to the VM folder then there is no way to physically prevent this.
Encryption would ensure that any such copy is useless. However, encryption carries its own risks - mainly that a rather nasty failure mode has been added. I.e. if you forget the password then you are way out of luck, no matter how many backups you have. In this scenario you would be begging your VM thief to give a copy back to you! I'm already beginning to see the problem reports: "I wanted to find out what encryption did... - it randomizes the hdd contents!" (well yes, that's kinda the point). It's going to be most fun with those guys who routinely share disks between VMs, if one VM uses encryption and the other doesn't. Or how about if the VM uses snapshots and the password has been changed somewhere in the snapshot chain. I shudder to think about the weird problems that are going to appear on these forums in the next couple of years.
Encryption would ensure that any such copy is useless. However, encryption carries its own risks - mainly that a rather nasty failure mode has been added. I.e. if you forget the password then you are way out of luck, no matter how many backups you have. In this scenario you would be begging your VM thief to give a copy back to you! I'm already beginning to see the problem reports: "I wanted to find out what encryption did... - it randomizes the hdd contents!" (well yes, that's kinda the point). It's going to be most fun with those guys who routinely share disks between VMs, if one VM uses encryption and the other doesn't. Or how about if the VM uses snapshots and the password has been changed somewhere in the snapshot chain. I shudder to think about the weird problems that are going to appear on these forums in the next couple of years.
Re: Prevent VM to be copied/cloned to other computers
I haven't been able to test encryption capability in v5 due to other technical issue I'm facing..
As long as they have to provide password, then as you said...I think its useless even they can take copy of VM folder. For me, It doesn't matter if they can carry VM folder as long as it's encrypted.
If it doesn't work then I have to consider something else like Bitlocker. But I prefer VM encryption first rather than encrypting entire disk.
As long as they have to provide password, then as you said...I think its useless even they can take copy of VM folder. For me, It doesn't matter if they can carry VM folder as long as it's encrypted.
This has confirmed me so far to fulfill the goal...anyway, I'll give a test later.noteirak wrote:jof2jc wrote:
I think there must be old password confirmation to renew the password???
Yes, they still need the password
If it doesn't work then I have to consider something else like Bitlocker. But I prefer VM encryption first rather than encrypting entire disk.
-
- Site Moderator
- Posts: 5229
- Joined: 13. Jan 2012, 11:14
- Primary OS: Debian other
- VBox Version: OSE Debian
- Guest OSses: Debian, Win 2k8, Win 7
- Contact:
Re: Prevent VM to be copied/cloned to other computers
VirtualBox encryption does not encrypt the VM config, it encrypts the disk, just like bitlocker!jof2jc wrote:But I prefer VM encryption first rather than encrypting entire disk.
Hyperbox - Virtual Infrastructure Manager - https://apps.kamax.lu/hyperbox/
Manage your VirtualBox infrastructure the free way!
Manage your VirtualBox infrastructure the free way!
Re: Prevent VM to be copied/cloned to other computers
When a VM is encrypted then it prompt for password on every start-up. Can we set it auto-logon?
But if the VMfolder is copied/cloned to another computer then it shall prompt for password..
But if the VMfolder is copied/cloned to another computer then it shall prompt for password..
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: Prevent VM to be copied/cloned to other computers
It isn't a login, it's a decryption. Quite separate from the guest OS login (if any). And storing the decryption key anywhere is a big no-no. So no, it can't be done automatically.