One thing: the password and the key (DEK) are different things. The password cloaks the DEK, which is stored in cloaked form in your .vbox file. Don't lose the .vbox file as the hdd contents will be totally unrecoverable.
I have cloned a VM guest and tried it out. Here are some answers to my questions:
- If I setup a password in the VirtualBox Manager does it start encrypting the existing *.vdi file immediately?
Yes, it does.
- How long does the process need per GB? I know it depends on my CPU, HDD speed, etc.
It took a few minutes only on my PC with a VB guest of about 12GB on a HDD.
- Is the VDI file getting bigger or does it stay about the same size?
The VDI file stayed at about the same size.
- Can an encrypted VM still use dynamically allocated disks?
Yes, no difference to a non encrypted VM.
- How long can the password be?
I couldn't find an answer to this question.
- Which signs are allowed in a password?
I couldn't find an answer to this question. Maybe someone can take a look into the source code to answer both questions.
- When I 'save the machine state' do I have to enter the password whenever I start the VM again?
Yes. What disappointed me was that you can see the screen of the saved machine behind the small password window. If there is any confidential information on it someone can see it without having a password. That should be changed.
PeterE wrote: ↑29. Aug 2023, 07:19
What disappointed me was that you can see the screen of the saved machine behind the small password window. If there is any confidential information on it someone can see it without having a password. That should be changed.
It sounds easily fixed. You should raise a BugTracker ticket for it.
PeterE wrote: ↑29. Aug 2023, 07:19
- How long can the password be?
- Which signs are allowed in a password?
The length of the password must be less than 1024 bytes when read from the console, and less than 512 bytes when read from a password file. Input characters are restricted by the input method used and by the handling of end-of-line characters and the terminating zero byte.
If you need more details, you'll have to look into the VirtualBox source code yourself, starting point: handleEncryptMedium().
PeterE wrote: ↑30. Aug 2023, 01:16
One more question: was the encryption audited from an independent expert?
I don't know (and I don't work for Oracle or the VirtualBox development). But I know that it uses the same mechanisms as most full disk encryption implementations (e.g. BitLocker, LUKS, VeraCrypt). Note that the VirtualBox Disk Image Encryption implementation is part of the VirtualBox Extension Pack and therefore not available as open source.