Encrypting Virtual Machines

Here you can provide suggestions on how to improve the product, website, etc.
wing
Posts: 6
Joined: 20. Oct 2007, 10:21
Location: Germany - Nuremberg

Encrypting Virtual Machines

Post by wing »

Is it difficult to implement a function, that makes it possible to encrypt the virtual Machines, or better the virtual disk images... So that you have to enter a password to start them.
tschutschi
Posts: 2
Joined: 30. Nov 2007, 17:13

Re: Encrypting Virtual Machines

Post by tschutschi »

wing wrote:Is it difficult to implement a function, that makes it possible to encrypt the virtual Machines, or better the virtual disk images... So that you have to enter a password to start them.
hi,

i am encountering the same problem. our costumer also wants to encrypt the vm and / or the linux box.

any hints for me to encrypt the vm?

thanks (also from germany ;-)) )

tschutschi
tommytao
Posts: 5
Joined: 6. Jul 2008, 07:12

Post by tommytao »

Give it a shoot :)

Sentry
http://www.softwinter.com/
Kitsune
Posts: 11
Joined: 22. Jan 2008, 03:48

Post by Kitsune »

You could simply use something like TrueCrypt (cross-platform) or dm-crypt (Linux specific, included with most distros) with an encrypted disk image. You could store the VDI or the enture VirtualBox folder on the encrypted disk so that way you need the key to be able to access it.

Althernatively, you could use dm-crypt on Linux guests or truecrypt on Windows guests to encrypt the virtual machine's disks. Which is better for you really depends on your needs, each of them would have their own pros and cons.

It'd probably be best to use a tool dedicated to that job as encryption is quite a hard thing to get right and there are already several really good tools for it that have had a good bit of auditing.
TerryE
Volunteer
Posts: 3572
Joined: 28. May 2008, 08:40
Primary OS: Ubuntu other
VBox Version: PUEL
Guest OSses: Ubuntu 10.04 & 11.10, both Svr&Wstn, Debian, CentOS
Contact:

Post by TerryE »

Linux, Windows and Mac all allow you to encrypt either at a file level or at a filesystem level. Given this, I am not sure that this would score very high in the priority list for new VB functionality.
Read the Forum Posting Guide
Google your Q site:VirtualBox.org or search for the answer before posting.
Kirkules
Posts: 3
Joined: 19. Feb 2009, 15:48

Is using whole disk truecrypt encryption really protecting?

Post by Kirkules »

I know this thread is quite old.
What I'm wondering is if one should only use truecrypt full disk protection for a fixed sized disk or if it is ok for a dynamic disk.
I'm also wondering if the vdi format would log changes in a way to where truecrypt's encryption can be broken.
I have been using whole disk encryption with a XP virtualbox made with tinyxp rev 9 that is fixed at 2.8 gigs.
Every once and awhile it blue screens on me....usually if I try to do too much and run out of ram I think.
My thoughts have been using truecrypt and having it message that it is missing its file system makes the vdi just look like a bad vdi. I don't know how easy it would be to tell if it is a truecrypted system?
TerryE
Volunteer
Posts: 3572
Joined: 28. May 2008, 08:40
Primary OS: Ubuntu other
VBox Version: PUEL
Guest OSses: Ubuntu 10.04 & 11.10, both Svr&Wstn, Debian, CentOS
Contact:

Re: Is using whole disk truecrypt encryption really protecti

Post by TerryE »

As far as the Host OS is concerned, any VD image is just a file being accessed by an application. I use Pointsec (whole disk) encryption on my XP laptop without any problems. I also have some AES loopback incrypted logical partitions served using LVM on my Ububtu 64bit system.
Read the Forum Posting Guide
Google your Q site:VirtualBox.org or search for the answer before posting.
right-or-am-i-wrong
Posts: 28
Joined: 2. Jan 2009, 00:29

Post by right-or-am-i-wrong »

I think this has to be done on the Host side.
This is the place of your images. The scenario "someone stealing your VDI " :shock: ... to get your data , starts at this location. The physical Host.
You can simply block the VBox program from running - there are tools out there ( for XP/WIN Hosts - search for "exe blocker")
This is simple security for multiuser-hosts.
A simple password protection inside VBox , seems to be a good suggestion anyway...
If you want good security (Windows host), create a extra partition - only for your VDI images and machine settings. The HDDs are big enough today.
Better ( if no mobile computer) : spend an entire harddrive only for your VDI Images+settings. Use TrueCrypt ( a good stable open source solution) and encrypt the whole drive/partition . Mount it (use the same volume mount label everytime! ) before you start the guest. Done.
You can create a TrueCrypt-container, if you don't want to encrypt an entire partition.
For performance reasons - try to use fixed size images , don't use your hosts system partition for your guests.
It's no problem at all using TrueCrypt containers inside the guest.

greets
rlhamil
Posts: 21
Joined: 3. Feb 2009, 03:05

Post by rlhamil »

If VirtualBox ever could get paged out on
guest memory, one might want to enable
encrypted swap on the host as well (if possible),
or someone could get raw guest memory data
out of host swap.
sej7278
Volunteer
Posts: 1003
Joined: 5. Sep 2008, 14:40
Primary OS: Debian other
VBox Version: PUEL
Guest OSses: Solaris, Linux, Windows, OS/2, MacOSX, FreeBSD
Contact:

Post by sej7278 »

this is something that should be done on the host.

just use linux dm-crypt and encryt your whole drive including swap.

this is not a feature that the virtualbox devs need to waste their time adding into the program itself.
Kirkules
Posts: 3
Joined: 19. Feb 2009, 15:48

Post by Kirkules »

I'm just wondering which is better:
A. Using truecrpyt whole disk protection on the guest system with a fixed size vdi.
B. Keeping a quest vdi stored in an encrypted container.
My thought is by encrypting the quest OS with whole disk encryption allows you to not need truecrypt installed on he host system which could help in non admin situations. Of course I believe you have to have admin rights to install virtualbox on XP hosts anyways.
Also you wouldn't take up extra space sizing a container.
I believe in order to hack into a wholly disk encrypted VDI you would have to mount it with another guest and try to brute force it.
I know that with this scenario that the vdi file would not be encrypted itself but wouldn't the data it contains still be gobbly guke from truecrypt?
I also don't know which scenario lends to better performance.
TerryE
Volunteer
Posts: 3572
Joined: 28. May 2008, 08:40
Primary OS: Ubuntu other
VBox Version: PUEL
Guest OSses: Ubuntu 10.04 & 11.10, both Svr&Wstn, Debian, CentOS
Contact:

Post by TerryE »

I don't have true crypt on my host OS, but I do have a couple of LVM virtual partitions that are AES loop-mount encrypted and this works fine.

There is little performance difference between A and B. The disadvantage of A is that since these encryption systems encrypt the entire volume, you've really got to use a fixed size VDI. It is also less convenient if you want to operate on the disk with gparted or a liveCD. The advantage is that you can backup the partition off-machine securely but just doing a copy. One the other hand, separately encrypting a smart backup of a VDI will typically be less than 25% of the size of a bare truecrypt copy.

So it all depends, but on balance for my needs and threat levels I prefer the encrypted LVM partition on the host.
Read the Forum Posting Guide
Google your Q site:VirtualBox.org or search for the answer before posting.
right-or-am-i-wrong
Posts: 28
Joined: 2. Jan 2009, 00:29

Post by right-or-am-i-wrong »

@Kirkules

"My thought is by encrypting the quest OS with whole disk encryption allows you to not need truecrypt installed on he host system which could help in non admin situations"

> get a portable version, runs without installing...


"A. Using truecrpyt whole disk protection on the guest system with a fixed size vdi. "

> If you can, get a fast Seagate , encrypt it with NTFS file-system ( if you are working with Windows ). If you are really paranoid , you can create an extra crypt container /inside an extra crypt container/ inside your vdi - and : don't use any swapfiles.
It's for James Bond... 8)

greets
lacis_alfredo
Posts: 8
Joined: 9. Aug 2010, 09:39
Primary OS: Ubuntu other
VBox Version: OSE Debian
Guest OSses: Win XP, Win Svr 2003, Ubuntu, Lubuntu

Re: Encrypting Virtual Machines

Post by lacis_alfredo »

Hi, I just tried using an encrypted partition in Ubuntu 10.04 host to host an XP guest. (I have several guests already, but they are hosted in an unencrypted partition.)

I copied the guest using "VBoxManage clonehd ...." to the encrypted partition.

One small problem - when the Guest is booted, it tries to decrypt the whole 13Gb image first! It's been half-an-hour now, and it hasn't got to the "Windows XP Starting" screen yet.

Obviously this is not the way to do it. Any suggestions?
SORRY: It wasn't the encryption - after copying the VM image using VBoxManage, I created a new .xml file, but did not go back, after it was created, to tick the [ ] Enable IO APIC.

a) if it's required to use VBoxManage to clone images, why isn't this functionality already in Oracle VM VirtualBox?

b) it would also mean that mistakes like this omission wouldn't occur.
Last edited by lacis_alfredo on 9. Aug 2010, 15:11, edited 2 times in total.
TerryE
Volunteer
Posts: 3572
Joined: 28. May 2008, 08:40
Primary OS: Ubuntu other
VBox Version: PUEL
Guest OSses: Ubuntu 10.04 & 11.10, both Svr&Wstn, Debian, CentOS
Contact:

Re: Encrypting Virtual Machines

Post by TerryE »

?? what encryption file system are you using ?? I've never had this problem.
Read the Forum Posting Guide
Google your Q site:VirtualBox.org or search for the answer before posting.
Post Reply