Configure vm encryption to not ask for boot password every time

Discussions related to using VirtualBox on Windows hosts.
Post Reply
Catizera
Posts: 3
Joined: 15. Oct 2021, 15:18

Configure vm encryption to not ask for boot password every time

Post by Catizera »

Hello, when we encrypt the vm by virtualbox extension pack is it possible to configure the vm not to ask for the password every time it starts?

Our idea is to make the password available only once and for it to continue working, but that it is needed again when the vm is copied to another machine in a new installation of virtualbox
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Configure vm encryption to not ask for boot password every time

Post by scottgus1 »

Take a look at https://www.virtualbox.org/manual/ch09. ... encryption.

It does not seem that there is a enter-the-passwords-once-only method for starting an encrypted VM.

Section 9.28.3 allows for starting a VM headless (which can be done via command line) then having a command line to enter the encryption ID and password. It seems reasonable that these command lines could be in a batch file. Of course, that leaves the password in plain text on the host PC. And headless start disables 3D acceleration.

If these quid pro quo's don't cause trouble for your setup, then this may be a workaround to prevent having to enter the passwords every time.

Alternatively, consider using in-the-VM-OS encryption not Virtualbox encryption. There may be an authentication method for the VM OS that won't let the OS log in unless a particular network authentication service is available.

Also, please take careful note of the warning about backing up the .vbox file with the encryption DEK in it. We hear of some users on the forum who have lost the .vbox file with the DEK and then cannot open the vdi file, and there is nothing we can do to help.
Catizera
Posts: 3
Joined: 15. Oct 2021, 15:18

Re: Configure vm encryption to not ask for boot password every time

Post by Catizera »

Thanks, I had already found this documentation and didn't really see how to do what I need. I thought maybe there was some community trick to do this. Leaving the password in a plain-text file is not an option.

We need to make these vms available for employees to work with, but we want to prevent them from making copies of them, let's research some other way to protect the copy of these VM's, Thanks for the feedback.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Configure vm encryption to not ask for boot password every time

Post by scottgus1 »

No problem. My guess is that letting distributed VM usage happen while stopping unauthorized VM copying will not work with Virtualbox.

Authenticated VM running may be a better solution. Let 'em be copied, just don't let 'em run.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Configure vm encryption to not ask for boot password every time

Post by mpack »

Catizera wrote:Hello, when we encrypt the vm by virtualbox extension pack is it possible to configure the vm not to ask for the password every time it starts?
Nope, that would not work. The password is needed to decrypt the DEK, and without the DEK it can't read the contents of the virtual drive. I don't know any way for a password to be persistent without storing it, which is obviously out of the question.

IMO encryption is the wrong tool for the task you describe. Encryption prevents unauthorized access, not unauthorized copying. In fact encryption is completely wasted here.
Catizera
Posts: 3
Joined: 15. Oct 2021, 15:18

Re: Configure vm encryption to not ask for boot password every time

Post by Catizera »

Okay, I expressed myself a little wrong here. In fact, the biggest problem would not be "copying" the VM, but copying and running, if you just copy but couldn't run it solves our problem. But since users have a laptop with these vms and are allowed to use it, if I encrypt I would have to provide the password, then they could make copies and run elsewhere with that password, and that's what we want to avoid. That's why saving the password on the laptop would not be an option. As sometimes these vms will be used in remote locations without internet access, the option to use vm in the cloud doesn't suit us either.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Configure vm encryption to not ask for boot password every time

Post by mpack »

Note how I was careful to use the phrase "unauthorized access". By providing a password you made it authorized access, so a discussion of preventing unauthorized access is not appropriate here.

The only way I know of to do what you want is to require online activation, or an external dongle. Encryption would be irrelevant. The former would IMO be preferable since the activation could be cancelled even if the subject absconded with laptop and dongle.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Configure vm encryption to not ask for boot password every time

Post by scottgus1 »

mpack wrote:online activation, or an external dongle
This would be your solution. A cabinet design program I subscribe to has monthly license downloads (or offline text codes) that shuts down the program if I don't update the license.

Consider any solution that tries to inhibit physical access as defeatable. If you give them encryption access for a time, then the VM is theirs. ("If they get access to the physical computer, then it's not your computer anymore".) Stop the program inside the VM from running with auto-disabling-without-license technology. If data within the VM has to be protected, let the license do the encrypting/decrypting of the data itself.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Configure vm encryption to not ask for boot password every time

Post by mpack »

scottgus1 wrote:If you give them encryption access for a time, then the VM is theirs.
Good point, one that I forgot to make this time. If they have unrestricted access EVER then they need only back up the VM from inside the VM, e.g. using Macrium. Hey presto - no more encryption.
Post Reply