Page 1 of 2

Encrypting Virtual Machines

Posted: 20. Oct 2007, 10:37
by wing
Is it difficult to implement a function, that makes it possible to encrypt the virtual Machines, or better the virtual disk images... So that you have to enter a password to start them.

Re: Encrypting Virtual Machines

Posted: 30. Nov 2007, 17:18
by tschutschi
wing wrote:Is it difficult to implement a function, that makes it possible to encrypt the virtual Machines, or better the virtual disk images... So that you have to enter a password to start them.
hi,

i am encountering the same problem. our costumer also wants to encrypt the vm and / or the linux box.

any hints for me to encrypt the vm?

thanks (also from germany ;-)) )

tschutschi

Posted: 18. Jul 2008, 18:39
by tommytao
Give it a shoot :)

Sentry
http://www.softwinter.com/

Posted: 5. Aug 2008, 02:42
by Kitsune
You could simply use something like TrueCrypt (cross-platform) or dm-crypt (Linux specific, included with most distros) with an encrypted disk image. You could store the VDI or the enture VirtualBox folder on the encrypted disk so that way you need the key to be able to access it.

Althernatively, you could use dm-crypt on Linux guests or truecrypt on Windows guests to encrypt the virtual machine's disks. Which is better for you really depends on your needs, each of them would have their own pros and cons.

It'd probably be best to use a tool dedicated to that job as encryption is quite a hard thing to get right and there are already several really good tools for it that have had a good bit of auditing.

Posted: 5. Aug 2008, 03:21
by TerryE
Linux, Windows and Mac all allow you to encrypt either at a file level or at a filesystem level. Given this, I am not sure that this would score very high in the priority list for new VB functionality.

Is using whole disk truecrypt encryption really protecting?

Posted: 19. Feb 2009, 15:58
by Kirkules
I know this thread is quite old.
What I'm wondering is if one should only use truecrypt full disk protection for a fixed sized disk or if it is ok for a dynamic disk.
I'm also wondering if the vdi format would log changes in a way to where truecrypt's encryption can be broken.
I have been using whole disk encryption with a XP virtualbox made with tinyxp rev 9 that is fixed at 2.8 gigs.
Every once and awhile it blue screens on me....usually if I try to do too much and run out of ram I think.
My thoughts have been using truecrypt and having it message that it is missing its file system makes the vdi just look like a bad vdi. I don't know how easy it would be to tell if it is a truecrypted system?

Re: Is using whole disk truecrypt encryption really protecti

Posted: 19. Feb 2009, 17:20
by TerryE
As far as the Host OS is concerned, any VD image is just a file being accessed by an application. I use Pointsec (whole disk) encryption on my XP laptop without any problems. I also have some AES loopback incrypted logical partitions served using LVM on my Ububtu 64bit system.

Posted: 19. Feb 2009, 22:53
by right-or-am-i-wrong
I think this has to be done on the Host side.
This is the place of your images. The scenario "someone stealing your VDI " :shock: ... to get your data , starts at this location. The physical Host.
You can simply block the VBox program from running - there are tools out there ( for XP/WIN Hosts - search for "exe blocker")
This is simple security for multiuser-hosts.
A simple password protection inside VBox , seems to be a good suggestion anyway...
If you want good security (Windows host), create a extra partition - only for your VDI images and machine settings. The HDDs are big enough today.
Better ( if no mobile computer) : spend an entire harddrive only for your VDI Images+settings. Use TrueCrypt ( a good stable open source solution) and encrypt the whole drive/partition . Mount it (use the same volume mount label everytime! ) before you start the guest. Done.
You can create a TrueCrypt-container, if you don't want to encrypt an entire partition.
For performance reasons - try to use fixed size images , don't use your hosts system partition for your guests.
It's no problem at all using TrueCrypt containers inside the guest.

greets

Posted: 22. Feb 2009, 04:55
by rlhamil
If VirtualBox ever could get paged out on
guest memory, one might want to enable
encrypted swap on the host as well (if possible),
or someone could get raw guest memory data
out of host swap.

Posted: 22. Feb 2009, 12:11
by sej7278
this is something that should be done on the host.

just use linux dm-crypt and encryt your whole drive including swap.

this is not a feature that the virtualbox devs need to waste their time adding into the program itself.

Posted: 23. Feb 2009, 18:05
by Kirkules
I'm just wondering which is better:
A. Using truecrpyt whole disk protection on the guest system with a fixed size vdi.
B. Keeping a quest vdi stored in an encrypted container.
My thought is by encrypting the quest OS with whole disk encryption allows you to not need truecrypt installed on he host system which could help in non admin situations. Of course I believe you have to have admin rights to install virtualbox on XP hosts anyways.
Also you wouldn't take up extra space sizing a container.
I believe in order to hack into a wholly disk encrypted VDI you would have to mount it with another guest and try to brute force it.
I know that with this scenario that the vdi file would not be encrypted itself but wouldn't the data it contains still be gobbly guke from truecrypt?
I also don't know which scenario lends to better performance.

Posted: 23. Feb 2009, 19:07
by TerryE
I don't have true crypt on my host OS, but I do have a couple of LVM virtual partitions that are AES loop-mount encrypted and this works fine.

There is little performance difference between A and B. The disadvantage of A is that since these encryption systems encrypt the entire volume, you've really got to use a fixed size VDI. It is also less convenient if you want to operate on the disk with gparted or a liveCD. The advantage is that you can backup the partition off-machine securely but just doing a copy. One the other hand, separately encrypting a smart backup of a VDI will typically be less than 25% of the size of a bare truecrypt copy.

So it all depends, but on balance for my needs and threat levels I prefer the encrypted LVM partition on the host.

Posted: 1. Mar 2009, 00:50
by right-or-am-i-wrong
@Kirkules

"My thought is by encrypting the quest OS with whole disk encryption allows you to not need truecrypt installed on he host system which could help in non admin situations"

> get a portable version, runs without installing...


"A. Using truecrpyt whole disk protection on the guest system with a fixed size vdi. "

> If you can, get a fast Seagate , encrypt it with NTFS file-system ( if you are working with Windows ). If you are really paranoid , you can create an extra crypt container /inside an extra crypt container/ inside your vdi - and : don't use any swapfiles.
It's for James Bond... 8)

greets

Re: Encrypting Virtual Machines

Posted: 9. Aug 2010, 09:45
by lacis_alfredo
Hi, I just tried using an encrypted partition in Ubuntu 10.04 host to host an XP guest. (I have several guests already, but they are hosted in an unencrypted partition.)

I copied the guest using "VBoxManage clonehd ...." to the encrypted partition.

One small problem - when the Guest is booted, it tries to decrypt the whole 13Gb image first! It's been half-an-hour now, and it hasn't got to the "Windows XP Starting" screen yet.

Obviously this is not the way to do it. Any suggestions?
SORRY: It wasn't the encryption - after copying the VM image using VBoxManage, I created a new .xml file, but did not go back, after it was created, to tick the [ ] Enable IO APIC.

a) if it's required to use VBoxManage to clone images, why isn't this functionality already in Oracle VM VirtualBox?

b) it would also mean that mistakes like this omission wouldn't occur.

Re: Encrypting Virtual Machines

Posted: 9. Aug 2010, 10:03
by TerryE
?? what encryption file system are you using ?? I've never had this problem.