Oracle VM VirtualBox enables you to transparently encrypt the VM data stored in the configuration file, saved state, and EFI boot data for the guest.
Oracle VM VirtualBox uses the AES algorithm in various modes. The selected mode depends on the encrypting component of the VM. Oracle VM VirtualBox supports 128-bit or 256-bit data encryption keys (DEK). The DEK is stored encrypted in the VM configuration file and is decrypted during VM startup.
Since the DEK is stored as part of the VM configuration file, it is important that the file is kept safe. Losing the DEK means that the data stored in the VM is lost irrecoverably. Having complete and up to date backups of all data related to the VM is the responsibility of the user.
The VM, even if it is encrypted, may contain media encrypted with different passwords. To deal with this, the password for the VM has a password identifier, in the same way as passwords for media. The password ID is an arbitrary string which uniquely identifies the password in the VM and its media. You can use the same password and ID for both the VM and its media.
There are some limitations the user needs to be aware of when using this feature:
Exporting appliances containing an encrypted VM is not possible, because the OVF specification does not support this. The VM is therefore decrypted during export.
The DEK is kept in memory while the VM is running to be able to encrypt and decrypt VM data. While this should be obvious the user needs to be aware of this because an attacker might be able to extract the key on a compromised host and decrypt the data.
When encrypting or decrypting the VM, the password is passed in clear text using the Oracle VM VirtualBox API. This needs to be kept in mind, especially when using third party API clients which make use of the web service where the password might be transmitted over the network. The use of HTTPS is mandatory in such a case.
Encrypting a VM can be done either using VirtualBox Manager or the VBoxManage. To encrypt an unencrypted VM with VBoxManage, use:
VBoxManage encryptvmuuid|vmnamesetencryption --new-passwordfilename|- \ --ciphercipher-ID--new-password-idID
To supply the encryption password, point
VBoxManage to the file where the password is
stored or specify - to let
VBoxManage prompt for the password on the
command line.
The cipher parameter specifies the cipher to use for encryption
and can be either AES-128 or
AES-256. The appropriate mode of operation,
such as GCM, CTR, or XTS will be selected by the VM depending on
the encrypting component. The specified password identifier can
be freely chosen by the user and is used for correct
identification when supplying multiple passwords for the VM.
When Oracle VM VirtualBox has just started up the encrypted VM cannot be opened and it stays inaccessible. Also, the encrypted VM stays inaccessible if it was just registered without a password or the password is incorrect. The user needs to provide the password using VirtualBox Manager or with the following VBoxManage command:
VBoxManage encryptvmuuid|vmnameaddpassword --passwordfilename|- --password-idID
To supply the encryption password point
VBoxManage to the file where the password is
stored or specify - to let
VBoxManage prompt for the password on the
command line.
If ID is the same as the password
identifier supplied when encrypting the VM it updates the
accessibility state.
To remove the entered password from the VM memory, use VBoxManage as follows:
VBoxManage encryptvmuuid|vmnameremovepasswordID
If ID is the same as the password
identifier supplied when encrypting the VM it updates the
accessibility state.
If a machine becomes inaccessible all passwords are purged.
You have to add required passwords again, using the
VBoxManage encryptvm
vmname addpassword
command. See Section 9.22.3, “Opening the Encrypted VM”.
In some circumstances it might be required to decrypt previously encrypted VMs. This can be done in VirtualBox Manager or using VBoxManage with the following command:
VBoxManage encryptvmuuid|vmnamesetencryption --old-passwordfile|-
The only required parameter is the password the VM was encrypted with. The options are the same as for encrypting VMs.