Configure vm encryption to not ask for boot password every time

Discussions related to using VirtualBox on Windows hosts.

Configure vm encryption to not ask for boot password every time

Postby Catizera » 15. Oct 2021, 15:25

Hello, when we encrypt the vm by virtualbox extension pack is it possible to configure the vm not to ask for the password every time it starts?

Our idea is to make the password available only once and for it to continue working, but that it is needed again when the vm is copied to another machine in a new installation of virtualbox
Catizera
 
Posts: 3
Joined: 15. Oct 2021, 15:18

Re: Configure vm encryption to not ask for boot password every time

Postby scottgus1 » 15. Oct 2021, 19:49

Take a look at https://www.virtualbox.org/manual/ch09. ... encryption.

It does not seem that there is a enter-the-passwords-once-only method for starting an encrypted VM.

Section 9.28.3 allows for starting a VM headless (which can be done via command line) then having a command line to enter the encryption ID and password. It seems reasonable that these command lines could be in a batch file. Of course, that leaves the password in plain text on the host PC. And headless start disables 3D acceleration.

If these quid pro quo's don't cause trouble for your setup, then this may be a workaround to prevent having to enter the passwords every time.

Alternatively, consider using in-the-VM-OS encryption not Virtualbox encryption. There may be an authentication method for the VM OS that won't let the OS log in unless a particular network authentication service is available.

Also, please take careful note of the warning about backing up the .vbox file with the encryption DEK in it. We hear of some users on the forum who have lost the .vbox file with the DEK and then cannot open the vdi file, and there is nothing we can do to help.
scottgus1
Site Moderator
 
Posts: 13765
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Configure vm encryption to not ask for boot password every time

Postby Catizera » 15. Oct 2021, 21:34

Thanks, I had already found this documentation and didn't really see how to do what I need. I thought maybe there was some community trick to do this. Leaving the password in a plain-text file is not an option.

We need to make these vms available for employees to work with, but we want to prevent them from making copies of them, let's research some other way to protect the copy of these VM's, Thanks for the feedback.
Catizera
 
Posts: 3
Joined: 15. Oct 2021, 15:18

Re: Configure vm encryption to not ask for boot password every time

Postby scottgus1 » 15. Oct 2021, 23:34

No problem. My guess is that letting distributed VM usage happen while stopping unauthorized VM copying will not work with Virtualbox.

Authenticated VM running may be a better solution. Let 'em be copied, just don't let 'em run.
scottgus1
Site Moderator
 
Posts: 13765
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Configure vm encryption to not ask for boot password every time

Postby mpack » 16. Oct 2021, 10:19

Catizera wrote:Hello, when we encrypt the vm by virtualbox extension pack is it possible to configure the vm not to ask for the password every time it starts?

Nope, that would not work. The password is needed to decrypt the DEK, and without the DEK it can't read the contents of the virtual drive. I don't know any way for a password to be persistent without storing it, which is obviously out of the question.

IMO encryption is the wrong tool for the task you describe. Encryption prevents unauthorized access, not unauthorized copying. In fact encryption is completely wasted here.
mpack
Site Moderator
 
Posts: 34907
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Configure vm encryption to not ask for boot password every time

Postby Catizera » 18. Oct 2021, 14:34

Okay, I expressed myself a little wrong here. In fact, the biggest problem would not be "copying" the VM, but copying and running, if you just copy but couldn't run it solves our problem. But since users have a laptop with these vms and are allowed to use it, if I encrypt I would have to provide the password, then they could make copies and run elsewhere with that password, and that's what we want to avoid. That's why saving the password on the laptop would not be an option. As sometimes these vms will be used in remote locations without internet access, the option to use vm in the cloud doesn't suit us either.
Catizera
 
Posts: 3
Joined: 15. Oct 2021, 15:18

Re: Configure vm encryption to not ask for boot password every time

Postby mpack » 18. Oct 2021, 14:45

Note how I was careful to use the phrase "unauthorized access". By providing a password you made it authorized access, so a discussion of preventing unauthorized access is not appropriate here.

The only way I know of to do what you want is to require online activation, or an external dongle. Encryption would be irrelevant. The former would IMO be preferable since the activation could be cancelled even if the subject absconded with laptop and dongle.
mpack
Site Moderator
 
Posts: 34907
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Configure vm encryption to not ask for boot password every time

Postby scottgus1 » 18. Oct 2021, 17:03

mpack wrote:online activation, or an external dongle

This would be your solution. A cabinet design program I subscribe to has monthly license downloads (or offline text codes) that shuts down the program if I don't update the license.

Consider any solution that tries to inhibit physical access as defeatable. If you give them encryption access for a time, then the VM is theirs. ("If they get access to the physical computer, then it's not your computer anymore".) Stop the program inside the VM from running with auto-disabling-without-license technology. If data within the VM has to be protected, let the license do the encrypting/decrypting of the data itself.
scottgus1
Site Moderator
 
Posts: 13765
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Configure vm encryption to not ask for boot password every time

Postby mpack » 18. Oct 2021, 19:24

scottgus1 wrote:If you give them encryption access for a time, then the VM is theirs.

Good point, one that I forgot to make this time. If they have unrestricted access EVER then they need only back up the VM from inside the VM, e.g. using Macrium. Hey presto - no more encryption.
mpack
Site Moderator
 
Posts: 34907
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP


Return to VirtualBox on Windows Hosts

Who is online

Users browsing this forum: UliBär and 41 guests