Obviously I don't have to refer to the manual "any time" I do something. Just when I want to try something I haven't done before. ::gasp::mwp wrote:It must take you years to get anything done if you have to refer to the manual any time you do something
How to re-use encrypted VDI???
-
- Volunteer
- Posts: 8851
- Joined: 30. Apr 2009, 09:45
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: just about all that run
Re: How to re-use encrypted VDI???
OSX, Linux and Windows Hosts & Guests
There are three groups of people. Those that can count and those that can't.
There are three groups of people. Those that can count and those that can't.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: How to re-use encrypted VDI???
... especially when said something is quite obviously dangerous. You are after all deliberately corrupting your hard disk. If that thought doesn't cause you to double check the docs then I don't know what would.
-
- Volunteer
- Posts: 8851
- Joined: 30. Apr 2009, 09:45
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: just about all that run
Re: How to re-use encrypted VDI???
I don't normally encrypt anything. When the encryption feature was added to VirtualBox I decided to test it. I managed not to destroy anything. I think that's because I read the section in the manual on encryption. Crazy huh?
And of course, if your VMs were backed up, even after you destroyed your guest, you could have recovered.
And of course, if your VMs were backed up, even after you destroyed your guest, you could have recovered.
OSX, Linux and Windows Hosts & Guests
There are three groups of people. Those that can count and those that can't.
There are three groups of people. Those that can count and those that can't.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: How to re-use encrypted VDI???
We've had this discussion before. There's a huge gotcha with backing up of encrypted VMs, which is that you have to remember the password you used for each backup, the IT police recommend that you change passwords regularly, plus you aren't supposed to write them down. Encryption sounds great as a remote concept, but when confronted by it a number of practical questions occur (or should).loukingjr wrote:And of course, if your VMs were backed up, even after you destroyed your guest, you could have recovered.
-
- Volunteer
- Posts: 8851
- Joined: 30. Apr 2009, 09:45
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: just about all that run
Re: How to re-use encrypted VDI???
I don't actually remember that conversation Don. However, I would think just keeping one backup of an encrypted VM with whatever the current password is would suffice. Change the password, replace the backup. Of course as I mentioned, I don't encrypt.
OSX, Linux and Windows Hosts & Guests
There are three groups of people. Those that can count and those that can't.
There are three groups of people. Those that can count and those that can't.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: How to re-use encrypted VDI???
The conversion took place the last time someone had one of these "oh wait, encryption doesn't really stop people accessing my data does it?" topics: here.
For my home stuff, one backup is fine. At work I have an external 2TB drive to which I write various backups. I only over delete (oldest) backups when the drive fills up, which tends to be about a year. For development I sometimes need to be able to go back and find when a certain change was introduced, so a single backup doesn't work for that. This is my personal backup regime: the IT people also have one of those indiscriminate nightly server backup thingies that I don't know or care about: not under my control == not something I trust my livelihood to!
For my home stuff, one backup is fine. At work I have an external 2TB drive to which I write various backups. I only over delete (oldest) backups when the drive fills up, which tends to be about a year. For development I sometimes need to be able to go back and find when a certain change was introduced, so a single backup doesn't work for that. This is my personal backup regime: the IT people also have one of those indiscriminate nightly server backup thingies that I don't know or care about: not under my control == not something I trust my livelihood to!
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: How to re-use encrypted VDI???
I agree. However at this time the feature is new and unproven, while that is the kind of frill that tends to be added with time.socratis wrote:Actually, it's not a bad idea after all. Just quoting the paragraph from the manual (see my previous post) with an "OK, I understand the ramifications" and "No way, get me out of here" buttons would be an adequate run-time warning.
If someone feels strongly about this then it could be raised as a BugTracker improvement suggestion.
-
- Volunteer
- Posts: 8851
- Joined: 30. Apr 2009, 09:45
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: just about all that run
Re: How to re-use encrypted VDI???
Geez, I am getting forgetful.mpack wrote:The conversion took place the last time someone had one of these "oh wait, encryption doesn't really stop people accessing my data does it?" topics: here.
OSX, Linux and Windows Hosts & Guests
There are three groups of people. Those that can count and those that can't.
There are three groups of people. Those that can count and those that can't.
Re: How to re-use encrypted VDI???
Thanks for above input from everyone.
I've been struggling to handle encrypted media (vdi image or rawdisk vmdk) in consistent way following above hints and guides.
Please find what I found and which seems to be working for me.
My setup is headless Arch host ( VirtualBox v 6.1.8 ) and variety of VMs running on it.
I prefer CLI but I have also phpVirtualBox, where I can check and confirm (or not ) actions.
I've been trying to find right way of attaching/detaching encrypted images having in mind that encrypted media may need to be moved to a different host machine / re-attached to other VM(s) from image file backup.
This is also to make sure, in case of some failure, data can be decrypted and extracted from encrypted drive or mounted in some other way (at least for fixed size VDIs).
Here is what I found:
1. create VDI independently of the VM (before even target VM existed in the list of VMs):
Type password when prompted....
3. VB has now put new image into list with below data:
Image is listed in (web)GUI Virtual Media Manager or CLI: vboxmanage show hdds (here you can also see line Encryption: enabled)
4. Remove this image in Virtual Media Manager (or CLI closemedium), but don't delete the image file. Check manager or list again that it doesn't list.
5. Now attach the image file (by selecting the image file) to a VM which you want to use to access the data (perhaps even on a different host machine).
6. In my case image becomes attached to selected VM but CRYPT information seem to be lost. Image is basically attached as regular unencrypted image.
7. Now THE MAGIC that works for me:
If you have not made a mistake copying/pasting keyid and keystore from your backup notes you should see that check media information now shows correct fields for Cipher and Encryption, as below:
NOTE: above seems to work with encrypted physical raw disks described with VMDK file.
NOTE2: please mind escape character in my code in case you work in windowz host.
I hope this helps.
I've been struggling to handle encrypted media (vdi image or rawdisk vmdk) in consistent way following above hints and guides.
Please find what I found and which seems to be working for me.
My setup is headless Arch host ( VirtualBox v 6.1.8 ) and variety of VMs running on it.
I prefer CLI but I have also phpVirtualBox, where I can check and confirm (or not ) actions.
I've been trying to find right way of attaching/detaching encrypted images having in mind that encrypted media may need to be moved to a different host machine / re-attached to other VM(s) from image file backup.
This is also to make sure, in case of some failure, data can be decrypted and extracted from encrypted drive or mounted in some other way (at least for fixed size VDIs).
Here is what I found:
1. create VDI independently of the VM (before even target VM existed in the list of VMs):
Code: Select all
vboxmanage createmedium disk --filename encrypted.vdi --size 4000 --variant Standard
2. encrypt created VDI:Medium created. UUID: ebfb0df5-d456-47b1-9282-dbccf51d9efb
Code: Select all
vboxmanage encryptmedium ebfb0df5-d456-47b1-9282-dbccf51d9efb --newpassword - --cipher AES-XTS128-PLAIN64 --newpasswordid prikey
3. VB has now put new image into list with below data:
Code: Select all
vboxmanage showmediuminfo ebfb0df5-d456-47b1-9282-dbccf51d9efb
Please backup this output into separate file (perhaps with password used during creation) in safe place.UUID: ebfb0df5-d456-47b1-9282-dbccf51d9efb
Parent UUID: base
State: created
Type: normal (base)
Location: /srv/vbox/encrypted.vdi
Storage format: VDI
Format variant: dynamic default
Capacity: 4000 MBytes
Size on disk: 2 MBytes
Encryption: enabled
Cipher: AES-XTS128-PLAIN64
Password ID: prikey
Property: AllocationBlockSize=1048576
CRYPT/KeyId=prikey
CRYPT/KeyStore=U0NORQABQUVTLVhUUzEyOC1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB
MjU2AAAAAAAAAAAAAAAAAAAAAAAAACAAAACtprBQRMnClzwnvXB5bXLMVA7Pos9e
auuNjJyjsBZOjyAAAACJ4kFrFwm9SYuNyKiOaTD9gJSzUQimukyoJZkEaAS/LCBO
AAD/EOzWmBsDaDvpnYFftWW5diIkYY0qMJ9lExbphW0+LkB+BQAgAAAAFn2cRpQJ
YRwxXgtwkEMh5X94dcCZzzPuVwg80O9f07sAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAA==
Image is listed in (web)GUI Virtual Media Manager or CLI: vboxmanage show hdds (here you can also see line Encryption: enabled)
4. Remove this image in Virtual Media Manager (or CLI closemedium), but don't delete the image file. Check manager or list again that it doesn't list.
5. Now attach the image file (by selecting the image file) to a VM which you want to use to access the data (perhaps even on a different host machine).
6. In my case image becomes attached to selected VM but CRYPT information seem to be lost. Image is basically attached as regular unencrypted image.
Code: Select all
vboxmanage list hdds
and same output from boxmanage showmediuminfo ebfb0df5-d456-47b1-9282-dbccf51d9efbUUID: ebfb0df5-d456-47b1-9282-dbccf51d9efb
Parent UUID: base
State: created
Type: normal (base)
Location: /srv/vbox/encrypted.vdi
Storage format: VDI
Capacity: 4000 MBytes
Encryption: disabled
7. Now THE MAGIC that works for me:
Code: Select all
vboxmanage mediumproperty disk set encrypted.vdi CRYPT\/KeyId prikey
vboxmanage mediumproperty disk set encrypted.vdi CRYPT\/KeyStore U0NORQABQUVTLVhUUzEyOC1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hBMjU2AAAAAAAAAAAAAAAAAAAAAAAAACAAAACtprBQRMnClzwnvXB5bXLMVA7Pos9eauuNjJyjsBZOjyAAAACJ4kFrFwm9SYuNyKiOaTD9gJSzUQimukyoJZkEaAS/LCBOAAD/EOzWmBsDaDvpnYFftWW5diIkYY0qMJ9lExbphW0+LkB+BQAgAAAAFn2cRpQJYRwxXgtwkEMh5X94dcCZzzPuVwg80O9f07sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
Please try for yourself and let me know of this works for earlier VirtualBox versions?UUID: ebfb0df5-d456-47b1-9282-dbccf51d9efb
Parent UUID: base
State: created
Type: normal (base)
Location: /srv/vbox/encrypted.vdi
Storage format: VDI
Format variant: dynamic default
Capacity: 4000 MBytes
Size on disk: 2 MBytes
Encryption: enabled
Cipher: AES-XTS128-PLAIN64
Password ID: prikey
Property: AllocationBlockSize=1048576
CRYPT/KeyId=prikey
CRYPT/KeyStore=U0NORQABQUVTLVhUUzEyOC1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hBMjU2AAAAAAAAAAAAAAAAAAAAAAAAACAAAACtprBQRMnClzwnvXB5bXLMVA7Pos9eauuNjJyjsBZOjyAAAACJ4kFrFwm9SYuNyKiOaTD9gJSzUQimukyoJZkEaAS/LCBOAAD/EOzWmBsDaDvpnYFftWW5diIkYY0qMJ9lExbphW0+LkB+BQAgAAAAFn2cRpQJYRwxXgtwkEMh5X94dcCZzzPuVwg80O9f07sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
NOTE: above seems to work with encrypted physical raw disks described with VMDK file.
NOTE2: please mind escape character in my code in case you work in windowz host.
I hope this helps.