X

Technical articles, news, and insights
for Oracle's Infrastructure Software offerings

VirtualBox 5.0 Enhancements and Features: Disk Image Encryption

Simon Coter
Director of Product Management

On July 9th 2015 we released our new VirtualBox 5.0 major release.
This release introduced many new features like:

•    Virtual Machine Management
    - Paravirtualization support for Windows and Linux guests
    - More instruction set extensions available to the guest

•     Device support
    - xHCI Controller to support USB 3 devices

•     Usability
    - Improved Drag and drop support
    - Disk image encryption
    - VMs started with separate GUI – foreground – / VM – background – processes

And a further list of GUI enhancements that will be better described in the next articles.

The new features that I’m going to introduce today is “Disk Image Encryption”.

As you know, the encryption options is something available also on your Host Operating System and for business environments could be a must-to-have; that said, usually, someone could say:

“I already have my encryption at a lower level (Host OS), why do I need further encryption for my vms ??”

Personally I think that today having encryption on your personal or company laptop could not be enough; the era of CDs/DVDs is going to end (maybe it’s already over) but a new era is coming:

•    Local: USB-Keys, USB-disks and, even, mobile devices like our smartphones
•    Remote: cloud backup solutions ( free or paid )

Once we are going to copy or move something ( in our example virtual-machines ) on an external local device or on a cloud backup solution often the destination could not be encrypted; so, while your company spent a bunch of $ to have data encryption, your virtual-machines, once copied on external-devices, could have been accessed and used by everyone.

Our virtual-machine, created on top of VirtualBox, could contain confidential information, or our next software release, software code or anything else that needs the highest security level.

So, this is the target of our new feature “Disk Image Encryption”; thanks to this feature you’ll have encrypted virtual-machines and even if you are going to copy/clone or move them on external-devices / web-storage / cloud-backup their built-in encryption will maintain your data secure.

Note: The “Disk Image Encryption” is shipped as a VirtualBox extension pack, which must be installed separately.

Starting with VirtualBox 5.0 ( our latest release today is 5.0.4 ), it is possible to encrypt the data stored in hard disk images transparently for the guest. VirtualBox uses the AES algorithm in XTS mode and supports 128 or 256 bit data encryption keys (DEK):

This operation can be executed also using command-line interface, using following syntax:
VBoxManage encryptmedium "uuid|filename" --newpassword "file|-" --cipher "cipher id" --newpasswordid "id"
 
The DEK is stored encrypted in the medium properties and is decrypted during VM startup by entering a password which was chosen when the image was encrypted:












 

 

 

This operation can be executed also using command-line interface, using following syntax:
VBoxManage controlvm "uuid|vmname" addencpassword "id" "password" [--removeonsuspend "yes|no"]
 
In some circumstances it might be required to decrypt previously encrypted images and this can be achieved both from GUI and command-line interface:


 

 

This operation can be executed also using command-line interface, using following syntax:
VBoxManage encryptmedium "uuid|filename" --oldpassword "file|-"


Final considerations

Since the DEK is stored as part of the VM configuration file, it is important that it is kept safe. Losing the DEK means that the data stored in the disk images is lost irrecoverably. Having complete and up to date backups of all data related to the VM is the responsibility of the user.
Here an example of the configuration file of one encrypted virtual-machine:


 

 

 


This is our first chapter of many, about new features introduced by VirtualBox 5.0. See you to the next feature!
Let's keep in touch!

 

Simon COTER

 

Join the discussion

Comments ( 21 )
  • guest Tuesday, November 3, 2015

    Does the new release offer any protection against tools such as this:

    http://www.sinfocol.org/2015/07/virtualbox-disk-image-encryption-password-cracker/


  • guest Wednesday, November 4, 2015

    Hi "guest",

    the protection is based on your password, like on all system access.

    The only thing that this tool is able to do is to try to recover the password reading a "wordlist" file.

    Making a silly example: if your password is "qwerty" and the "wordlist" file does not contain "qwerty", the tool won't be able to identify which is your password.

    If your password will be a secured one (uppercase+lowercase+numbers+symbols), that tool will be useless.

    Thank you.

    Simon


  • guest Sunday, December 27, 2015

    Is it possible to shrink/compact an encrypted vdi file? How to proceed? The usual VBoxManage 'compact' option seems to have no effect on encrypted vdi container. And in effect, VBoxManage asks for no password.

    Thanks for your answer.


  • Simon Thursday, January 7, 2016

    Hi "guest",

    actually is not possible to directly shrink encrypted vdisks.

    If you need to shrink a vdisk, please:

    1. decrypt vdisk

    2. shrink the vdisk

    3. re-encrypt vdisk

    Hope this helps.

    Thank you.

    Simon


  • guest Thursday, March 3, 2016

    Will this encrypt all disks attached to the VM, or only the boot disk?


  • Simon Thursday, March 3, 2016

    Hi,

    the encryption will encrypt the entire vm.

    If you are going to add a disk to the vm and you want to have it encrypted you can do it using CLI.

    Thank you

    Simon


  • guest Thursday, March 24, 2016

    Hi Simon,

    thank you for this useful article.

    I'd like to know if exist a way to encrypt also the log of an encrypted VM.

    Thanks for your answer


  • Simon Thursday, March 24, 2016

    Hi,

    unfortunately there is no option to encrypt logs.

    What you can do, for sure, is to have logs on an encrypted filesystem on the host system (see LUKS on Linux for example).

    Thank you

    Simon


  • Concerned Tuesday, April 19, 2016

    Thanks for making VB safer. A question tho, which i'm not even sure you can answer.

    For someone who dosen't know a whole lot about encryption. I was wondering if for example: If someone with the time and means, like for example a professional computer cryptographer or say law-enforcement would be able to crack a Full disk encryption with a 20+ very uniqe character password, and then the secondly a ubuntu with full disk encryption and a diffrent long uniqe password?

    I'm just trying to get an idea of how safe these encryptions are, I understand that the average person wouldn't be able to crack this, but curious as how much of efforts real experts would need to have a go at for example my system.


  • mario Monday, August 29, 2016

    Hi, Thanks for the useful informations.

    Please, can you tell me which folder i must crypt with other software (like verycrypt) to be 99.99% sure that no one can use the info inside the temp and log file in VBox to decrypt my virtual hd

    Best regards


  • Simon Monday, August 29, 2016

    Hi Mario,

    you don't need to crypt any log/temp file related to VirtualBox.

    Once the virtual-disks have been encrypted with a good password (so, not too simple) the entire content of your virtual-machine will be protected.

    Thanks

    Simon


  • Mario Wednesday, August 31, 2016

    Thank you so much.


  • guest Sunday, September 4, 2016

    Hi!

    Is it possible to move an encrypted .vdi to other computer?

    I whant to give an vdi file to my friend (only one vdi file, not all files from the VM), after I send per mail a password from the vdi file.

    My friend create a new VM and add the vdi image to the new VM.

    Will be it works?


  • Simon Monday, September 5, 2016

    Hi Guest,

    it's possible to share encrypted VMs and Virtual-disks but sharing the only vdisk is not enough.

    You also have to share the .vbox file of your vm and, obviously, the receiver of the vm need the password to open/start the vm.

    The other option is to un-encrypt the vm, share the vdisk and then re-encrypt the vm.

    Simon


  • Hugh Tuesday, September 6, 2016

    Hi Concerned,

    You ask a good question about security. I recommend that you read Section 5 "Security Aspects" of the LUKS FAQ.

    Simply "Google" LUKS FAQ to locate the document. (Apparently my attempt to use the URL is keeping the message from posting.)


  • guest Saturday, November 5, 2016

    I am using the encryption feature in VirtualBox 5.1 (Mac version). It appears to me that the memory states of a VM saved in Snapshot directory is not encrypted at all --- When I reload the memory states, it loads without asking for a password. The VM's screen shows up and the VM runs for a very shot period of time before asking for a password, possibly at the time of first I/O to the encrypted disk.

    Not encrypting snapshots and memory states seem to defeat the whole purpose of hypervisor-level encryption. The memory states contain lots of sensitive information, including all disk contents cached in memory, and, if the guest VM has full disk encryption enabled, the encryption key itself. I believe that, even just encrypting only the memory states before committed to any non-volatile storage could be much more useful than encrypting the virtual disk, since the virtual disk can be encrypted in guest. Almost all current guest OSes, such as Windows, Mac OS X, and Linux, has their native support of full disk encryption. The main weakness of such encryption, if running in a virtualized environment, is its memory states.

    BTW, after resuming the saved states, the password dialog pops up, but sometime I could not type in the password. It appears that the dialog has lost its focus forever and clicking it does not help.


  • Simon Monday, November 7, 2016

    Thank you for your comment.

    I'm going to share this information with our engineering team.

    In the meantime, if you can, I would ask you to open a ticket on this issue on our virtualbox.org website.

    Thanks, again.

    Simon


  • starbuck Tuesday, December 27, 2016

    Hi,

    Thank you for this valuable information. I am evaluating the possibility to rely on the encryption provided by VB for backups of images. You wrote that the data is encrypted with AES128/256-XTS but there are no details about how the key is obtained. In particular, I am looking for the following details:

    a) is the key obtained by a random source? If yes, how is it stored in the file? If the password protects it, what is the protocol for it?

    b) is the key obtained from the password? If yes, how is the key derived from the password and why is there something stored in the configuration file?

    I am a little bit confused that something has to be stored in a file, hence my questions.

    Could you please edit the article and include these details?

    Kindest regards,

    sb


  • Simon Thursday, December 29, 2016

    Hi sb,

    you can find some information on our VirtualBox manual:

    https://www.virtualbox.org/manual/ch09.html#diskencryption

    and if you need further details, you can open a thread on our forum.virtualbox.org.

    Thanks

    Simon


  • Ms geek Tuesday, August 29, 2017
    One of the best USB Encryption tools to Password Protect which I know are
    Rohos Disk Encryption
    USB Flash Security
    USB Safeguard
    Disk Cryptor
    Storage Crypt
    source:- http://merabheja.com/free-usb-encryption-tools-to-password-protect/
  • Simon Tuesday, August 29, 2017
    Hi "Ms geek",

    something pretty different.....
    That said, is there something that does not need to be installed (here encryption is part of VBox) and is able to run on any x86 OS (like VBox) ?
    I mean....you can share your encrypted VM to me and I do not need to install anything to start it.....just the password :)

    Simon
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha
Oracle

Integrated Cloud Applications & Platform Services