virtualbox.org

It is recommended that you encrypt the profile(.vbox) of the guest OS when encrypting the virtual machine. It's not just encrypting .vdi files.

Why? There's nothing private in a vbox file. It's just the hardware recipe for the VM, and it isn't accessible from inside the VM.

The only thing that VirtualBox encrypts is the VDI image sectors, not even the entire VDI. If that isn't enough, e.g. if you are concerned about people with physical access to your host then perhaps you should encrypt your host.

Because the .vbox file is clear text, it is not important for unencrypted guest operating systems. The VMware workstation encrypts the guest operating system, and the .vmx file is also encrypted. Do not want others to see the configuration parameters of the encrypted guest operating system.

To put a practical side to the hopes here, the only way encrypted .vbox 'recipe' files will happen is if the Oracle paying customers want it or if a user contributes code.

Additionally, if one is worried about unauthorized persons accessing the .vbox file to see how the guest is formatted (which one can also see in the guest's Settings in the main Virtualbox window, which has zero (0) lockdown capabilities and anyone can start it and see it) then one has unauthorized persons accessing their computer files - a much bigger problem, and as the InfoSec gurus say, "if someone gets physical access to your computer, it's not your computer anymore."

in my humble opinion, worrying about the .vbox file is much smaller fruit than keeping people out of the host PC in the first place.

Sometimes the environment is like this, there is no way to completely isolate. Encrypting (if required) disk images and profiles of the guest operating system is better than clear text. Clear text files make it too easy to get the contents of a file.

Honestly, the only way you'll get this is to tweak the source code and program it yourself.

I still do not see a convincing explanation of why the VM recipe should be private, or why VirtualBox should be concerned about protecting your host (that is your host OS's job): that VMware does something this pointless - which I have not verified btw - is not a good argument for us to do the same.

And it will be interesting to see how the problem is solved that the key to decrypt the .vbox is stored in the .vbox: presumably by using a less secure encryption method.

It is not a protection host. is an encrypted .vdi and .vbox file.
Is encrypting Word (.docx) files that the operating system should do?
Should disconnect network connect for network security?
We all know that there is no absolute security, Can't because these problem just don't to do.
VirtualBox Teams can assess whether the problem is worth doing.

mpack wrote:I still do not see a convincing explanation of why the VM recipe should be private, or why VirtualBox should be concerned about protecting your host (that is your host OS's job): that VMware does something this pointless - which I have not verified btw - is not a good argument for us to do the same.

And it will be interesting to see how the problem is solved that the key to decrypt the .vbox is stored in the .vbox: presumably by using a less secure encryption method.

Aphrodite wrote: Is encrypting Word (.docx) files that the operating system should do?

I would say yes. Why would you have individual apps reinventing the wheel?

VirtualBox encryption is intended to secure GUEST files from a HOST attack. Not HOST files from a HOST attack. I'll say again: if you need to protect your host then look to your host OS, along with mechanisms to prevent physical access to your PC.

Revising my statement above that this will never happen if you don't program it yourself: A comment from Virtualbox personnel informs me that the devs may consider free users' ideas for implementation if a solid case for the idea can be made. And that the idea if accepted can happen faster if the user programs it according to Virtualbox standard and contributes the code.

The above said, Aphrodite, please consider your idea in light of this stated earlier:

scottgus1 wrote:[one can] see how the guest is formatted ... in the guest's Settings in the main Virtualbox window, which has zero (0) lockdown capabilities and anyone can start it and see it

Anyone standing at the computer can see the settings of the guest by selecting it in the main Virtualbox window. Thus they can see what the .vbox file tells Virtualbox to do with the guest. Seeing the guest settings will happen whether the .vbox file is encrypted or not.

How does encrypting the .vbox file protect from this unavoidable display of settings?