Encrypting a bootable disk?
Posted: 12. May 2015, 15:23
OK, so I'm gonna pose this question thinking that it can't be done. But, there's smarter people out there than me... so... 
We've a requirement to ship a pre-built Win7 Enterprise VM to a client, so that they can connect back to our corporate LAN. The device once done so, will be fully managed by us, and locked down so they can only run the apps they need. Obviously, they won't be local administrators on the device, so no adding all sorts of their own apps. All well and good.
But ideally, I'd like to prevent them from being able to mount the vhd/vdi etc outside of virtualbox, side-load their own tools/software, and generally have full reign of the machine. We all know how easy it is to open a vhd in linux or diskpart, tweak the contents and close it again. I want to try as hard as possible to prevent that.
Can't be done, right? After all, we'll clearly need to give them any encryption password for (whatever product) encrypts the disk, and at that point they can do it outside of virtualbox. The nearest I can get to it is Bitlocker (without TPM) but that also requires a USB startup key which we can do with a floppy drive image. And of course that also means giving them the key
Apart from that, not an entirely terrible solution.
Can anyone else think of a smarter alternative?
Not seen much on what the new VB5 encryption features entail, but I might like to hope that there would be some kind of "you can open and edit the disk with this password, others can only use-it-as-normal with this password". Failing that, the ability to create, in effect, a differencing/snapshot disk - so the image we provide is forever read-only, and any changes they make only persist as long as the last reboot.
Thanks for any advice.
edit: it turns out, the key you provide on the floppy image will allow the image to boot. To decrypt it outside of that OS tho, you need the recovery key - which is the one you secure away in a nice text file somewhere (or AD). Still interested in any other solutions tho !
We've a requirement to ship a pre-built Win7 Enterprise VM to a client, so that they can connect back to our corporate LAN. The device once done so, will be fully managed by us, and locked down so they can only run the apps they need. Obviously, they won't be local administrators on the device, so no adding all sorts of their own apps. All well and good.
But ideally, I'd like to prevent them from being able to mount the vhd/vdi etc outside of virtualbox, side-load their own tools/software, and generally have full reign of the machine. We all know how easy it is to open a vhd in linux or diskpart, tweak the contents and close it again. I want to try as hard as possible to prevent that.
Can't be done, right? After all, we'll clearly need to give them any encryption password for (whatever product) encrypts the disk, and at that point they can do it outside of virtualbox. The nearest I can get to it is Bitlocker (without TPM) but that also requires a USB startup key which we can do with a floppy drive image. And of course that also means giving them the key
Apart from that, not an entirely terrible solution.Can anyone else think of a smarter alternative?
Not seen much on what the new VB5 encryption features entail, but I might like to hope that there would be some kind of "you can open and edit the disk with this password, others can only use-it-as-normal with this password". Failing that, the ability to create, in effect, a differencing/snapshot disk - so the image we provide is forever read-only, and any changes they make only persist as long as the last reboot.
Thanks for any advice.
edit: it turns out, the key you provide on the floppy image will allow the image to boot. To decrypt it outside of that OS tho, you need the recovery key - which is the one you secure away in a nice text file somewhere (or AD). Still interested in any other solutions tho !