I have a virtual machine with the full virtual disk (vdi format in case that matters) encrypted using VirtualBox's built in disk encryption. I have had it for months and haven't had any problems with it but now i don't need it to be encrypted anymore so i went to the settings of that VM and in the Disk Encryption tab unchecked the checkbox and clicked OK and then typed in the password and it started decrypting it and the progressbar got to at least 1%. Everything up to this point went exactly how i expected it would go but what i didn't expect is a sudden power outage that lasted just long enough to forcibly power off the desktop computer on which the decrypting was happening.
Now when i go to the settings of that VM the checkbox isn't checked anymore and using VirtualBoxManage's showmediuminfo says "Encryption: disabled"
How to continue virtual drive decryption?
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: How to continue virtual drive decryption?
That's a bad situation! Hate to have to say it, but unless you can restore the encrypted VM from your regular backups, and a new UPS is on the way, it's toast.
Re: How to continue virtual drive decryption?
Poking at the file in a hex editor makes it seem that the decrypting was done sequentially and i can find a clear point at just under 3 gigabytes into the file where it goes from clearly decrypted data to complete gibberish (encrypted data). Poking at the rest of the file i can't find any sings of anything being decrypted there past that point and everything before that point is clearly not encrypted. Isn't there any way to forcibly decrypt the rest of the file or even the whole file again so that i'd only lose what's currently decrypted (which i could manually copy to another file for a potential later merging back into the main file once it is decrypted)?
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: How to continue virtual drive decryption?
The only methods provided by Virtualbox are through the vboxmanage commands or through the GUI. Looking through the manual, there do not seem to be any ways to start the decryption at a certain offset.
The key data, needed to decrypt along with the password in whatever fashion the Virtualbox source code does that, is located in the VM's .vbox file. Here is an example from an encrypted VM I have:
If your .vbox file doesn't have this "CRYPT/KeyId" and "CRYPT/KeyStore" data anymore, then you don't have the ability to get the actual encryption key that's calculated from the KeyStore and the password. At this point you can only start over using your backups.
If you still have this KeyStore data, you may be able to write a program that can calculate the encryption key and decrypt the remainder of the disk data, if you can figure out how Virtualbox does the encryption and decryption. (Unfortunately the source code for the encryption is closed, being in the closed-licensed Extension Pack, so you'd have to roll this program yourself.)
The key data, needed to decrypt along with the password in whatever fashion the Virtualbox source code does that, is located in the VM's .vbox file. Here is an example from an encrypted VM I have:
Your disk's data would be far different from the above, BTW.<HardDisk uuid="{39fd07c2-fe2d-4093-bf9e-f77b895b18d6}" location="DOS2 encrypted-disk1.vdi" format="VDI" type="Normal">
<Property name="CRYPT/KeyId" value="DOS2 encrypted"/>
<Property name="CRYPT/KeyStore" value="U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAJ9EurYq1fB+q9WO6DhCFkfdh739nw ajcqf/aKoqEyzCAAAAALpqXA+MIGLTPjyx42xdGY0msah1fx71tLGTEa2i3SwiBO AAAjeC7NqYm7PgHH1YEYWAZa5FXljTMkClFbPpl5tWPWXYA4AQBAAAAAWc5FVJ8a yie1c6fp2YQyI/VsP3LZXM7PtR+cv7UYdS70shFr8IsdIeQCMEemPA0drhpH6V/g GG/ut2oWKjfBIA=="/>
</HardDisk>
If your .vbox file doesn't have this "CRYPT/KeyId" and "CRYPT/KeyStore" data anymore, then you don't have the ability to get the actual encryption key that's calculated from the KeyStore and the password. At this point you can only start over using your backups.
If you still have this KeyStore data, you may be able to write a program that can calculate the encryption key and decrypt the remainder of the disk data, if you can figure out how Virtualbox does the encryption and decryption. (Unfortunately the source code for the encryption is closed, being in the closed-licensed Extension Pack, so you'd have to roll this program yourself.)
Re: How to continue virtual drive decryption?
For some reason this VM has 3 .vbox files that are nearly identical in contents and have all been modified at about the same time and one of them does still have the KeyStore data. The uuid for the disk is the same in all three of them. So there's at least hope?
Can i somehow forcibly "flag" the file as encrypted again to make vboxmanage restart decrypting it from the beginning? I know this would destroy the currently decrypted data but as far as i can tell that is all just pieces of Windows that can probably be fixed by using a Windows recovery disc or even just be ignored and the actually important data (that is still encrypted) just copied out of there with the disk plugged into another vm as a secondary drive.
Can i somehow forcibly "flag" the file as encrypted again to make vboxmanage restart decrypting it from the beginning? I know this would destroy the currently decrypted data but as far as i can tell that is all just pieces of Windows that can probably be fixed by using a Windows recovery disc or even just be ignored and the actually important data (that is still encrypted) just copied out of there with the disk plugged into another vm as a secondary drive.
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: How to continue virtual drive decryption?
If the .vbox file with the key data refers to the partially-decrypted disk, then there's hope. Can you zip the .vbox files and post them using the forum's Attachments tab, please?
Re: How to continue virtual drive decryption?
Sure, the one with the KeyStore data is the one called "Pirbo X-1.15-windows.vbox".
- Attachments
-
- .vbox Files.zip
- (5.99 KiB) Downloaded 125 times
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: How to continue virtual drive decryption?
Thanks for the .vbox files. This is in the "Pirbo X-1.15-windows.vbox":
So now you need to do some research on how AES encryption works, using the schemes in the Disk Encryption tab of the VM, to see if there is a way to continue the decryption. Or take the key data in the .vbox file and the password to a data recovery company and see if they can continue the decryption.
So the decrypting data still exists, good.<HardDisk uuid="{ba6cd945-1a99-4d08-9c36-bd40387e4a04}" location="Pirbo X.vdi" format="VDI" type="Normal">
<Property name="CRYPT/KeyId" value="Pirbo X"/>
<Property name="CRYPT/KeyStore" value="U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAACPtxBQKlzGzEYd3CV2SuLQpVrkKp1x SzOhwzmGZaEDhiAAAABY9XOqVknqKwDATRU4jc347pfbcOm0Gqvq6BbRV4j7vCBO AAATAvdkyk1wkAui6PYwmpxIanjCZYCU4ayz7AmwXOtKS0BgCgBAAAAA9VH46Wpo giGeVMpR+Ct0eYXrVyV1K//tQkyVQUZiScpYSz5i0Gpuww2OGLUlkNgL6rM423qc OW+d012MayTaxw=="/>
</HardDisk>
So now you need to do some research on how AES encryption works, using the schemes in the Disk Encryption tab of the VM, to see if there is a way to continue the decryption. Or take the key data in the .vbox file and the password to a data recovery company and see if they can continue the decryption.
-
- Volunteer
- Posts: 5678
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: How to continue virtual drive decryption?
Yes, I think that's possible. The following assumes that you used Encryption of Disk Images and not Encryption of VMs (the latter being new in VirtualBox 7.1).some-body wrote: ↑18. Jan 2024, 20:08 Poking at the file in a hex editor makes it seem that the decrypting was done sequentially and i can find a clear point at just under 3 gigabytes into the file where it goes from clearly decrypted data to complete gibberish (encrypted data). Poking at the rest of the file i can't find any sings of anything being decrypted there past that point and everything before that point is clearly not encrypted. Isn't there any way to forcibly decrypt the rest of the file or even the whole file again so that i'd only lose what's currently decrypted (which i could manually copy to another file for a potential later merging back into the main file once it is decrypted)?
AFAIU the VDI encryption, the VDI header and block map (both at the beginning of the VDI file) are not encrypted, and they don't even contain any information if the remainder of the VDI file is encrypted or not. The only information telling VirtualBox that VDI encryption is in place is the existence of the two properties "CRYPT/KeyId" and "CRYPT/KeyStore" in the .vbox file.
In consequence, if you can recreate the .vbox file, you can let VirtualBox decrypt the "whole" virtual disk again. Note that this will create garbage in the VDI blocks that were already decrypted, but if you made a backup copy of the VDI file before starting the decryption, you can later on combine the correct parts from the VDI files before and after the decryption.