[Solved] Encryption password for guest OS no longer working

[t6535]

Hi,
I had encrypted several guest OSes with the same disk encryption settings in virtualbox 6.0.4:
Disk encryption cipher: AES-XTS256-PLAIN264 (Settings --> Disk Encryption --> Enable Disk Encryption)
I used the same password for all VMs

Everything had been working fine for several days, but today I cannot start ANY of the VMs, here's the error message I get:
"Encryption password for ID = [VM name] is invalid."

Also, the fact that the issue is present across all my VMs is mindboggling.

The host is running macOS Mojave.

I have tried typing in the password as well as copy-pasting it, so I don't think it's a keyboard issue. I am also 100% sure that it is typed correctly (I have checked multiple sources).

I would highly appreciate if you have any ideas that are worth trying. Unfortunately, I have valuable information inside these VMs that is not backed up, and now that the encryption password is not working I am worried that I lost my data.

[socratis]

Pick a VM, any VM that has a problem and post its VBOX file.

Right-click on the VM in the VirtualBox Manager. Select "Show in Finder". ZIP the selected ".vbox" file and attach it to your response.

[t6535]

Thanks so much for the quick reply. I really appreciate it.

I am attaching the vbox file.

Please let me know if there's any other info I can give you.

[socratis]

Please post the file "/Users/<you>/Library/VirtualBox/VirtualBox.xml" and the "VirtualBox.xml-prev" next to it. ZIP them and attach them to your reply...

This VM does NOT contain an encrypted VDI. In fact things don't look to good to be honest with you... The whole <MediaRegistry> section is missing! Example of a section like that, with an encrypted medium:

<MediaRegistry>
  <HardDisks>
    <HardDisk uuid="{992e63e4-85b9-4018-8812-2df7ef337b57}" location="FreeDOS 1.2 Clone.vdi" format="VDI" type="Normal">
      <Property name="CRYPT/KeyId" value="FreeDOS 1.2 Clone"/>
      <Property name="CRYPT/KeyStore" value="U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB
MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAADikV3FgL9VJdN8+VmKIsrNQcacaYLe
Lhom8iF6BIlvwCAAAACRqZyzjqwGKW/cyOFlF4jZQsGZ3w19r5FD539Zr1/RxSBO
AACF1XUPNmHy+u5mMJxEMZhOETtQZV+OLLF/Ris2g4wsteAiAgBAAAAAgkOchi9D
OsL7UbXcUPw9d+bszpN04bVUAaWxCaGF2oVx/JqQ+x5wr9G7jrQZChTSUSKzOrHa
nD2ZkNWpEyq9nQ=="/>
    </HardDisk>
  </HardDisks>
</MediaRegistry>

If this is what I think it is, then:

I Have a Bad Feeling About This...

[t6535]

Oh that doesn't sound good
I am attaching a ZIP file with the XML files. Hope there's something that can be done.
Thanks again for the follow-up.

[socratis]

OK, it *is* the thing I was afraid of, a really rare bug. So "rare" and not-reproducible that I haven't filed a ticket for it, and I haven't heard of anyone reporting this except myself. I've been bitten a couple of times by that, but since I'm messing all the time with different versions, always testing the latest test builds, I thought it might have something to do with that aspect...

Here's what's going on... There is a section in each .VBOX file that holds the registered media, an example of which I showed you in my last post.

For some really weird reason, and under some really funky, unknown conditions, that same section can be found in the global settings file, VirtualBox.xml, but missing from the .vbox file!

VirtualBox will honor both locations. And that's part of the problem, because everything seems "normal", everything is working, snapshots, reverting, the whole thing. The only way to find out (and that's how I found out) was to copy the VM and try to register it on another host. The VM is not functioning, since the <MediaRegistry> section is missing from the VM config, and it's in the per-host config. Not supposed to be like that!

And this is exactly what's happening in your case; the <MediaRegistry> section is missing from your .vbox, but it's in the VirtualBox.xml. Now, in theory, this "move" should work and you should be prompted for your password. But obviously you're not.

Can you tell me exactly what happend? How did you end up like that? Did you move/create/change anything? Or it started happening just all of a sudden? I need each and every detail, no matter how insignificant you might think it is; we're trying to solve a mystery here...

[t6535]

At T=0 I started both VMs, everything was running as usual. I did not do any changes to the guest OSes (I did not touch anything beyond the home directory and certainly nothing that requires sudo).

At T0+~3h I shut down both guest OSes, the way I usually do, which is from within the guest OS.

At T0+~3.25h I thought I should try to change the settings to optimize performance (for some reason the VMs have been very slow since I first installed them, but I was never able to figure out why). For the two VMs, I reduced the number of processors from 2 to 1. I also reduced the base memory in both, but I don't remember by how much. I did not try to start the VMs after changing these settings and I put my host OS to sleep.

At T0+~9h I tried to start the VMs but the encryption password no longer worked. After it became clear that it wasn't just a case of a typing error, here's what I tried:

- Restored the processor and memory settings to the best of my recollection
- I thought it might be an issue with VirtualBox and not the images themselves since I thought it's unlikely that both became corrupted at the same time. So I installed VirtualBox 5.2 along with the appropriate extension pack but that didn't work either
- I reinstalled VirtualBox 6.0.4 with the appropriate extension but the problem persisted

That's about everything I can remember, but let me know if you have any specific questions or if any logs can be helpful.

My understanding of all of this is rather naive, but is it worth trying to manually copy the <MediaRegistry> part from the VirtualBox.xml to the .vbox?

Again, thanks so much. I really appreciate all your help.

[klaus]

The media registry transfer to VirtualBox.xml shouldn't happen (and while I know a reason in which this can happen you definitely didn't mention the magic words "cloning" or "importing" so far), but as such shouldn't be harmful. All the vital information is still there (and the KeyStore stuff isn't lost, which is the most important thing as this is where the password encrypted key for the data on disk lives). The only catch is that it wouldn't move with the VM as intended when copying the directory to a different system.

[aeichner]

Please also attach the VBox.log and <VM name>.vbox and <VM name>.vbox-prev files for the affected VM. I wasn't able to reproduce your issue here by moving the medium to the global registry. Encrypted disks still work here.

[t6535]

Thank you so much for your help.

I am very glad to hear that the vital information is still there. Any suggestions on how I can proceed to access my VM again?

I am attaching a zip file containing the VBox.log and <VM name>.vbox and <VM name>.vbox-prev files.

Klaus: just to clarify, I did not do any "cloning" or "importing". After the password stopped working, I did try to install VirtualBox 5.2 instead of the 6.0 I had been using, but since the VM directories were the same I did not have to import anything. Anyway, that didn't work and I again replaced 5.2 with 6.0.

[t6535]

Hi again,
Sorry for the persistence, but any thoughts on how I can access my vm again?
Thanks a lot.

[mpack]

The attachment contains manually edited "VirtualBox.xml" and "Whonix-Gateway.XFCE.vbox". You should back up your existing copies of these files and overwrite them with these - report the results.

I notice that two encrypted hard disks are registered (incorrectly) in VirtualBox.xml, only one of those was used by the VM, so presumably there's another VM with the same problem which will need a similar fix (I did not bother to read the above discussion, so perhaps you already said).

[socratis]

First of all, sorry for the late reply, but things have been kind of crazy... Just look at how many tabs I have open on the to-answer-tab-list! That's not the whole list of tabs, plus the red topics are the ones I haven't read yet!

but any thoughts on how I can access my vm again?

What 'mpack' sent your way is the <MediaRegistry> section that's moved from the global "VirtualBox.xml" to the specific "Whonix-Gateway-XFCE.vbox". It's the same exact information, which is what it's supposed to be if things are right. That doesn't mean they're 100% wrong, they're just being read from the wrong place.

Now, I'm not sure if this will fix your problem or not. I'm leaning towards not, but you never know. As 'aeichner' said, this should not affect the availability of the encryption part.

But, these are pre-made VMs that you downloaded from someplace else. I know because I have them as well. There can't be too many things that you have there that you wouldn't mind losing, are there?

[t6535]

It worked, thank you all so much!!
I did the same for the other VM, worked as well.
I'm backing everything up from now on

[socratis]

I wasn't able to reproduce your issue here by moving the medium to the global registry. Encrypted disks still work here.

And I tried what "aeichner" tried as well, successfully. And then you come back with:

It worked ... I did the same for the other VM, worked as well.

The big question is why it was failing before!!!
/me scratches head...

Is there anything missing from your original description?

BTW, I'm really glad that the whole thing worked, marking as [Solved].