Error encrypting new virtual disk (#17637)

[andy-g]

---

[ModEdit; related ticket: #17637: VBoxManage encryptmedium - cipher validation and documentation]

---

VirtualBox 5.2.8 + extension pack on Windows 10 host, 64 bit.

I read that virtualbox now supports encrypted disks, so i thought i would give it a try.

I want to create an encrypted disk to attach to an existing VM. I dont want to encrypt the current VM disk, only the new one i will attach.

I see that disk encryption requires the extension pack, so i downloaded and installed that first.

To create the new disk I open the UI, I select the VM i want to add the disk to, then Settings > Storage > Add hard disk button > Create New Disk > VDI > Dynamically Allocated > Create

This creates a new VDI disk in the selected folder, and attaches it to the VM - so far so good.

Now to encrypt the disk, I open powershell, and go to the location of the disk, then type the following, where 'test-encrypted.vdi' is the name of the disk i just created above.

& 'C:\Program Files\Oracle\VirtualBox\VBoxManage.exe' encryptmedium ".\test-encrypted.vdi" --newpassword - --newpasswordid pwd1

After entering the command, i'm prompted for the password, then i immediately get the error below:

Enter new password:
0%...
Progress state: VBOX_E_INVALID_OBJECT_STATE
VBoxManage.exe: error: Failed to encrypt hard disk
VBoxManage.exe: error: The password and password identifier must be empty if the output should be unencrypted
VBoxManage.exe: error: Details: code VBOX_E_INVALID_OBJECT_STATE (0x80bb0007), component MediumWrap, interface IMedium
VBoxManage.exe: error: Context: "enum RTEXITCODE __cdecl handleEncryptMedium(struct HandlerArg *)" at line 1890 of file VBoxManageDisk.cpp


This is echoed in the VBoxSVC log:

00:00:12.850402 createEncrypt ERROR [COM]: aRC=VBOX_E_INVALID_OBJECT_STATE (0x80bb0007) aIID={4afe423b-43e0-e9d0-82e8-ceb307940dda} aComponent={MediumWrap} aText={The password and password identifier must be empty if the output should be unencrypted}, preserve=false aResultDetail=0

I've tried several times - rebooted, detached the disk first, different VM's - all with the same result.

Has anybody seen this one before?

[andyp73]

Now to encrypt the disk, I open powershell

There have been reports of some strange issues with running VirtualBox commands in PowerShell. Can you try running it in a regular command prompt window?

-Andy.

[andy-g]

Hi,

Sure thing - i tried from command prompt (this is on a different computer too - also Windows 10 + Virtualbox 5.2.8 + Extension pack - but same result)

"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" encryptmedium ScratchDisk.vdi --newpasswordid pwd1 --newpassword -
Enter new password:
0%...
Progress state: VBOX_E_INVALID_OBJECT_STATE
VBoxManage.exe: error: Failed to encrypt hard disk
VBoxManage.exe: error: The password and password identifier must be empty if the output should be unencrypted
VBoxManage.exe: error: Details: code VBOX_E_INVALID_OBJECT_STATE (0x80bb0007), component MediumWrap, interface IMedium
VBoxManage.exe: error: Context: "enum RTEXITCODE __cdecl handleEncryptMedium(struct HandlerArg *)" at line 1890 of file VBoxManageDisk.cpp

Command prompt in administrator mode does exactly the same thing.

The fact that it keeps complaining about the object state makes me wonder if i havent created the new disk incorrectly somehow - can you encrypt brand new dynamically sized disks? Does it matter if they are attached to a VM or not?

[andy-g]

Hi,

TL;DR - make sure to specify a cipher! Using powershell or command prompt made no difference, nor did referencing the disk by UUID or file name.


I figured this out by wading through the source code. My CPP is rusty, but essentially I see this in the error:

"The password and password identifier must be empty if the output should be unencrypted"

This is the message in the exception thrown from the i_taskEncryptHandler function if the encryption task has a password and password id, but the cipher is absent. (see MediumImpl.cpp, line 10045).
The cipher is absent because the handleEncryptMedium method in VBoxManageDisk.cpp does not set a default one. Reading between the lines, I'm guessing this is because the encryptmedium command is used to encrypt and decrypt a disk. For decryption, presumably the applicable cipher is simply looked up.


The usage instructions imply that the cipher is optional (at least, the way i read it)

Usage:

VBoxManage encryptmedium <uuid|filename>
[--newpassword <file>|-]
[--oldpassword <file>|-]
[--cipher <cipher identifier>]
[--newpasswordid <password identifier>]

Though to be fair, the user guide says this:

To encrypt an unencrypted medium with VBoxManage, use:

VBoxManage encryptmedium "uuid|filename" --newpassword "file|-" --cipher "cipher id" --newpasswordid "id"
To supply the encryption password point VBoxManage to the file where the password is stored or specify - to let VBoxManage ask you for the password on the command line.

The cipher parameter specifies the cipher to use for encryption and can be either AES-XTS128-PLAIN64 or AES-XTS256-PLAIN64. The specified password identifier can be freely chosen by the user and is used for correct identification when supplying multiple passwords during VM startup.

So it seems the cipher should be present.

I'll log a bug that perhaps the validation should try guess what the user wants - if someone is specifying newpassword and newpasswordid options without an oldpassword option, its clear that they want to encrypt, and therefore it should either default to one of the ciphers or complain that a user should pick one.

[paulk]

It needs to be made clearer in the usage notes. The cipher does need to be specified to encrypt the disk, there is no default cipher value.
The usage shows it is optional, but that's only because it isn't needed when changing the password.
The error message is completely confusing if you don't realize that the cipher argument needs to be present.