Encrypt entire VDI rather than just the data portion
Encrypt entire VDI rather than just the data portion
It seems only the data portion of VDIs are encrypted. The header and block mapping table is left entirely in the clear, which can be used to make some pretty good guesses about the contents of the VDI data.
-
- Site Moderator
- Posts: 27329
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: Encrypt entire VDI rather than just the data portion
How exactly are you going to make "good guesses about the contents of the VDI data"? If I give you the size and geometry of a disk, you're going to tell me its contents? I don't get it, could you explain it to me a little bit more in detail?
An example or two wouldn't hurt either.
An example or two wouldn't hurt either.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: Encrypt entire VDI rather than just the data portion
This is very very vague. What exactly is the nature of the guess you refer to?
Sure, I can guess that hard disks have partitions. I can guess that you have a bank account. But guessing has not improved my chances of accessing the details of either one, and anyway I can make that guess even with zero information (i.e. encrypted header).
If it was possible to guess at the contents of a hard disk then we wouldn't need hard disks at all would we? Instead of storing data we could just substitute our guess. How would we use encryption then? The mind boggles.
I'm afraid this smells like something you should have thought about before posting!
Sure, I can guess that hard disks have partitions. I can guess that you have a bank account. But guessing has not improved my chances of accessing the details of either one, and anyway I can make that guess even with zero information (i.e. encrypted header).
If it was possible to guess at the contents of a hard disk then we wouldn't need hard disks at all would we? Instead of storing data we could just substitute our guess. How would we use encryption then? The mind boggles.
I'm afraid this smells like something you should have thought about before posting!
Re: Encrypt entire VDI rather than just the data portion
This got a genuine laugh out of me! Psychic based storage. State of the art.mpack wrote:If it was possible to guess at the contents of a hard disk then we wouldn't need hard disks at all would we? Instead of storing data we could just substitute our guess. How would we use encryption then? The mind boggles.
I don't mean to say you could extract every data byte using only the header, but you can gain more information about the data. You know which blocks were written and in which order, which would give you information about the partition structure, formatting, bootloader type, what kind of operating system is installed, the type of software installed on the operating system, etc.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: Encrypt entire VDI rather than just the data portion
I don't see how. It's only possible to "guess" anything about the content of a content of a drive because the guess is true of every drive, and the guess therefore has no value or significance. Information is, by definition (in the information theory sense, which is applicable here), something you didn't already know. There is no information in a guess.daffy1234 wrote: I don't mean to say you could extract every data byte using only the header, but you can gain more information about the data.
Re: Encrypt entire VDI rather than just the data portion
If you really feel paranoid abut the block allocation giving hints: use fixed VDI and stay away from snapshots (because they'd use differencing images). With fixed VDI the block allocation tables are there, but always entirely populated so it doesn't give any information about what's zero data and what isn't.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: Encrypt entire VDI rather than just the data portion
I'm struggling to think of what value I could get from knowing a block was filled with zero bytes!
Re: Encrypt entire VDI rather than just the data portion
You need to get more paranoid try wearing a tin foil hat for a week, maybe that helps getting in the right frame of thought.
Knowing which parts of the disk contain zeroes helps with focusing on the non-zero data, and the corresponding patterns can help guessing the filesystem type and then in turn make predictions about the content of some encrypted blocks. That can lead to a known ciphertext attack - which should still insanely expensive if there are no weaknesses designed into AES-XTS. The point is that it's cheaper than banging on the first sector of the disk and trying all keys and check if the result could be a valid partition table.
Knowing which parts of the disk contain zeroes helps with focusing on the non-zero data, and the corresponding patterns can help guessing the filesystem type and then in turn make predictions about the content of some encrypted blocks. That can lead to a known ciphertext attack - which should still insanely expensive if there are no weaknesses designed into AES-XTS. The point is that it's cheaper than banging on the first sector of the disk and trying all keys and check if the result could be a valid partition table.
Re: Encrypt entire VDI rather than just the data portion
I think the OP must be using his X-Ray glasses he bought from the back of a comic book to peer into the VDI file
If you want it all encrypted then put the entire VM on an encrypted disk on the HOST. It works fine.
If you want it all encrypted then put the entire VM on an encrypted disk on the HOST. It works fine.