How to re-use encrypted VDI???

[loukingjr]

It must take you years to get anything done if you have to refer to the manual any time you do something

Obviously I don't have to refer to the manual "any time" I do something. Just when I want to try something I haven't done before. ::gasp::

[mpack]

... especially when said something is quite obviously dangerous. You are after all deliberately corrupting your hard disk. If that thought doesn't cause you to double check the docs then I don't know what would.

[loukingjr]

I don't normally encrypt anything. When the encryption feature was added to VirtualBox I decided to test it. I managed not to destroy anything. I think that's because I read the section in the manual on encryption. Crazy huh?

And of course, if your VMs were backed up, even after you destroyed your guest, you could have recovered.

[mpack]

And of course, if your VMs were backed up, even after you destroyed your guest, you could have recovered.

We've had this discussion before. There's a huge gotcha with backing up of encrypted VMs, which is that you have to remember the password you used for each backup, the IT police recommend that you change passwords regularly, plus you aren't supposed to write them down. Encryption sounds great as a remote concept, but when confronted by it a number of practical questions occur (or should).

[loukingjr]

I don't actually remember that conversation Don. However, I would think just keeping one backup of an encrypted VM with whatever the current password is would suffice. Change the password, replace the backup. Of course as I mentioned, I don't encrypt.

[mpack]

The conversion took place the last time someone had one of these "oh wait, encryption doesn't really stop people accessing my data does it?" topics: here.

For my home stuff, one backup is fine. At work I have an external 2TB drive to which I write various backups. I only over delete (oldest) backups when the drive fills up, which tends to be about a year. For development I sometimes need to be able to go back and find when a certain change was introduced, so a single backup doesn't work for that. This is my personal backup regime: the IT people also have one of those indiscriminate nightly server backup thingies that I don't know or care about: not under my control == not something I trust my livelihood to!

[mpack]

Actually, it's not a bad idea after all. Just quoting the paragraph from the manual (see my previous post) with an "OK, I understand the ramifications" and "No way, get me out of here" buttons would be an adequate run-time warning.

I agree. However at this time the feature is new and unproven, while that is the kind of frill that tends to be added with time.

If someone feels strongly about this then it could be raised as a BugTracker improvement suggestion.

[loukingjr]

The conversion took place the last time someone had one of these "oh wait, encryption doesn't really stop people accessing my data does it?" topics: here.

Geez, I am getting forgetful.

[chrismin]

Thanks for above input from everyone.

I've been struggling to handle encrypted media (vdi image or rawdisk vmdk) in consistent way following above hints and guides.
Please find what I found and which seems to be working for me.

My setup is headless Arch host ( VirtualBox v 6.1.8 ) and variety of VMs running on it.
I prefer CLI but I have also phpVirtualBox, where I can check and confirm (or not ) actions.

I've been trying to find right way of attaching/detaching encrypted images having in mind that encrypted media may need to be moved to a different host machine / re-attached to other VM(s) from image file backup.
This is also to make sure, in case of some failure, data can be decrypted and extracted from encrypted drive or mounted in some other way (at least for fixed size VDIs).

Here is what I found:
1. create VDI independently of the VM (before even target VM existed in the list of VMs):

Code: Select all

vboxmanage createmedium disk --filename encrypted.vdi --size 4000 --variant Standard

Medium created. UUID: ebfb0df5-d456-47b1-9282-dbccf51d9efb

2. encrypt created VDI:

Code: Select all

vboxmanage encryptmedium ebfb0df5-d456-47b1-9282-dbccf51d9efb --newpassword - --cipher AES-XTS128-PLAIN64 --newpasswordid prikey

Type password when prompted....

3. VB has now put new image into list with below data:

Code: Select all

vboxmanage showmediuminfo ebfb0df5-d456-47b1-9282-dbccf51d9efb

UUID: ebfb0df5-d456-47b1-9282-dbccf51d9efb
Parent UUID: base
State: created
Type: normal (base)
Location: /srv/vbox/encrypted.vdi
Storage format: VDI
Format variant: dynamic default
Capacity: 4000 MBytes
Size on disk: 2 MBytes
Encryption: enabled
Cipher: AES-XTS128-PLAIN64
Password ID: prikey
Property: AllocationBlockSize=1048576
CRYPT/KeyId=prikey
CRYPT/KeyStore=U0NORQABQUVTLVhUUzEyOC1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB
MjU2AAAAAAAAAAAAAAAAAAAAAAAAACAAAACtprBQRMnClzwnvXB5bXLMVA7Pos9e
auuNjJyjsBZOjyAAAACJ4kFrFwm9SYuNyKiOaTD9gJSzUQimukyoJZkEaAS/LCBO
AAD/EOzWmBsDaDvpnYFftWW5diIkYY0qMJ9lExbphW0+LkB+BQAgAAAAFn2cRpQJ
YRwxXgtwkEMh5X94dcCZzzPuVwg80O9f07sAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAA==

Please backup this output into separate file (perhaps with password used during creation) in safe place.
Image is listed in (web)GUI Virtual Media Manager or CLI: vboxmanage show hdds (here you can also see line Encryption: enabled)

4. Remove this image in Virtual Media Manager (or CLI closemedium), but don't delete the image file. Check manager or list again that it doesn't list.

5. Now attach the image file (by selecting the image file) to a VM which you want to use to access the data (perhaps even on a different host machine).

6. In my case image becomes attached to selected VM but CRYPT information seem to be lost. Image is basically attached as regular unencrypted image.

Code: Select all

vboxmanage list hdds

UUID: ebfb0df5-d456-47b1-9282-dbccf51d9efb
Parent UUID: base
State: created
Type: normal (base)
Location: /srv/vbox/encrypted.vdi
Storage format: VDI
Capacity: 4000 MBytes
Encryption: disabled

and same output from boxmanage showmediuminfo ebfb0df5-d456-47b1-9282-dbccf51d9efb

7. Now THE MAGIC that works for me:

Code: Select all

vboxmanage mediumproperty disk set encrypted.vdi CRYPT\/KeyId prikey
vboxmanage mediumproperty disk set encrypted.vdi CRYPT\/KeyStore U0NORQABQUVTLVhUUzEyOC1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hBMjU2AAAAAAAAAAAAAAAAAAAAAAAAACAAAACtprBQRMnClzwnvXB5bXLMVA7Pos9eauuNjJyjsBZOjyAAAACJ4kFrFwm9SYuNyKiOaTD9gJSzUQimukyoJZkEaAS/LCBOAAD/EOzWmBsDaDvpnYFftWW5diIkYY0qMJ9lExbphW0+LkB+BQAgAAAAFn2cRpQJYRwxXgtwkEMh5X94dcCZzzPuVwg80O9f07sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

If you have not made a mistake copying/pasting keyid and keystore from your backup notes you should see that check media information now shows correct fields for Cipher and Encryption, as below:

UUID: ebfb0df5-d456-47b1-9282-dbccf51d9efb
Parent UUID: base
State: created
Type: normal (base)
Location: /srv/vbox/encrypted.vdi
Storage format: VDI
Format variant: dynamic default
Capacity: 4000 MBytes
Size on disk: 2 MBytes
Encryption: enabled
Cipher: AES-XTS128-PLAIN64
Password ID: prikey
Property: AllocationBlockSize=1048576
CRYPT/KeyId=prikey
CRYPT/KeyStore=U0NORQABQUVTLVhUUzEyOC1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hBMjU2AAAAAAAAAAAAAAAAAAAAAAAAACAAAACtprBQRMnClzwnvXB5bXLMVA7Pos9eauuNjJyjsBZOjyAAAACJ4kFrFwm9SYuNyKiOaTD9gJSzUQimukyoJZkEaAS/LCBOAAD/EOzWmBsDaDvpnYFftWW5diIkYY0qMJ9lExbphW0+LkB+BQAgAAAAFn2cRpQJYRwxXgtwkEMh5X94dcCZzzPuVwg80O9f07sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

Please try for yourself and let me know of this works for earlier VirtualBox versions?

NOTE: above seems to work with encrypted physical raw disks described with VMDK file.
NOTE2: please mind escape character in my code in case you work in windowz host.

I hope this helps.