How to continue virtual drive decryption?

[some-body]

I have a virtual machine with the full virtual disk (vdi format in case that matters) encrypted using VirtualBox's built in disk encryption. I have had it for months and haven't had any problems with it but now i don't need it to be encrypted anymore so i went to the settings of that VM and in the Disk Encryption tab unchecked the checkbox and clicked OK and then typed in the password and it started decrypting it and the progressbar got to at least 1%. Everything up to this point went exactly how i expected it would go but what i didn't expect is a sudden power outage that lasted just long enough to forcibly power off the desktop computer on which the decrypting was happening.
Now when i go to the settings of that VM the checkbox isn't checked anymore and using VirtualBoxManage's showmediuminfo says "Encryption: disabled"

[scottgus1]

That's a bad situation! Hate to have to say it, but unless you can restore the encrypted VM from your regular backups, and a new UPS is on the way, it's toast.

[some-body]

Poking at the file in a hex editor makes it seem that the decrypting was done sequentially and i can find a clear point at just under 3 gigabytes into the file where it goes from clearly decrypted data to complete gibberish (encrypted data). Poking at the rest of the file i can't find any sings of anything being decrypted there past that point and everything before that point is clearly not encrypted. Isn't there any way to forcibly decrypt the rest of the file or even the whole file again so that i'd only lose what's currently decrypted (which i could manually copy to another file for a potential later merging back into the main file once it is decrypted)?

[scottgus1]

The only methods provided by Virtualbox are through the vboxmanage commands or through the GUI. Looking through the manual, there do not seem to be any ways to start the decryption at a certain offset.

The key data, needed to decrypt along with the password in whatever fashion the Virtualbox source code does that, is located in the VM's .vbox file. Here is an example from an encrypted VM I have:

<HardDisk uuid="{39fd07c2-fe2d-4093-bf9e-f77b895b18d6}" location="DOS2 encrypted-disk1.vdi" format="VDI" type="Normal">
<Property name="CRYPT/KeyId" value="DOS2 encrypted"/>
<Property name="CRYPT/KeyStore" value="U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB&#13;&#10;MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAJ9EurYq1fB+q9WO6DhCFkfdh739nw&#13;&#10;ajcqf/aKoqEyzCAAAAALpqXA+MIGLTPjyx42xdGY0msah1fx71tLGTEa2i3SwiBO&#13;&#10;AAAjeC7NqYm7PgHH1YEYWAZa5FXljTMkClFbPpl5tWPWXYA4AQBAAAAAWc5FVJ8a&#13;&#10;yie1c6fp2YQyI/VsP3LZXM7PtR+cv7UYdS70shFr8IsdIeQCMEemPA0drhpH6V/g&#13;&#10;GG/ut2oWKjfBIA=="/>
</HardDisk>

Your disk's data would be far different from the above, BTW.

If your .vbox file doesn't have this "CRYPT/KeyId" and "CRYPT/KeyStore" data anymore, then you don't have the ability to get the actual encryption key that's calculated from the KeyStore and the password. At this point you can only start over using your backups.

If you still have this KeyStore data, you may be able to write a program that can calculate the encryption key and decrypt the remainder of the disk data, if you can figure out how Virtualbox does the encryption and decryption. (Unfortunately the source code for the encryption is closed, being in the closed-licensed Extension Pack, so you'd have to roll this program yourself.)

[some-body]

For some reason this VM has 3 .vbox files that are nearly identical in contents and have all been modified at about the same time and one of them does still have the KeyStore data. The uuid for the disk is the same in all three of them. So there's at least hope?

Can i somehow forcibly "flag" the file as encrypted again to make vboxmanage restart decrypting it from the beginning? I know this would destroy the currently decrypted data but as far as i can tell that is all just pieces of Windows that can probably be fixed by using a Windows recovery disc or even just be ignored and the actually important data (that is still encrypted) just copied out of there with the disk plugged into another vm as a secondary drive.

[scottgus1]

If the .vbox file with the key data refers to the partially-decrypted disk, then there's hope. Can you zip the .vbox files and post them using the forum's Attachments tab, please?

[some-body]

Sure, the one with the KeyStore data is the one called "Pirbo X-1.15-windows.vbox".

[scottgus1]

Thanks for the .vbox files. This is in the "Pirbo X-1.15-windows.vbox":

<HardDisk uuid="{ba6cd945-1a99-4d08-9c36-bd40387e4a04}" location="Pirbo X.vdi" format="VDI" type="Normal">
<Property name="CRYPT/KeyId" value="Pirbo X"/>
<Property name="CRYPT/KeyStore" value="U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB&#13;&#10;MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAACPtxBQKlzGzEYd3CV2SuLQpVrkKp1x&#13;&#10;SzOhwzmGZaEDhiAAAABY9XOqVknqKwDATRU4jc347pfbcOm0Gqvq6BbRV4j7vCBO&#13;&#10;AAATAvdkyk1wkAui6PYwmpxIanjCZYCU4ayz7AmwXOtKS0BgCgBAAAAA9VH46Wpo&#13;&#10;giGeVMpR+Ct0eYXrVyV1K//tQkyVQUZiScpYSz5i0Gpuww2OGLUlkNgL6rM423qc&#13;&#10;OW+d012MayTaxw=="/>
</HardDisk>

So the decrypting data still exists, good.

So now you need to do some research on how AES encryption works, using the schemes in the Disk Encryption tab of the VM, to see if there is a way to continue the decryption. Or take the key data in the .vbox file and the password to a data recovery company and see if they can continue the decryption.

[fth0]

Poking at the file in a hex editor makes it seem that the decrypting was done sequentially and i can find a clear point at just under 3 gigabytes into the file where it goes from clearly decrypted data to complete gibberish (encrypted data). Poking at the rest of the file i can't find any sings of anything being decrypted there past that point and everything before that point is clearly not encrypted. Isn't there any way to forcibly decrypt the rest of the file or even the whole file again so that i'd only lose what's currently decrypted (which i could manually copy to another file for a potential later merging back into the main file once it is decrypted)?

Yes, I think that's possible. The following assumes that you used Encryption of Disk Images and not Encryption of VMs (the latter being new in VirtualBox 7.1).

AFAIU the VDI encryption, the VDI header and block map (both at the beginning of the VDI file) are not encrypted, and they don't even contain any information if the remainder of the VDI file is encrypted or not. The only information telling VirtualBox that VDI encryption is in place is the existence of the two properties "CRYPT/KeyId" and "CRYPT/KeyStore" in the .vbox file.

In consequence, if you can recreate the .vbox file, you can let VirtualBox decrypt the "whole" virtual disk again. Note that this will create garbage in the VDI blocks that were already decrypted, but if you made a backup copy of the VDI file before starting the decryption, you can later on combine the correct parts from the VDI files before and after the decryption.