Encrypted Images

From Whonix

About this Encrypted Images Page
Support Status stable
Difficulty easy
Contributor HulaHoop [archive]
Support Support

Encrypted Guest Images[edit]

Info This encrypted images chapter is mostly theoretical at this point, because it contains numerous open research questions and is currently unsupported.

The greatest security benefit comes from applying full disk encryption on the host because that is the only place where it is most effective. Nevertheless, for the interested reader this section makes recommendations to deal with the following threat model:

  • The host is running when an adversary gets access to it, or the host is unencrypted.
  • The VM is powered down (otherwise the adversary would already have access to it).

The following security considerations are based on modified quotes by Iszi [archive] from the answer posted on [archive], which was a user contribution to stackexchange, licensed under cc by-sa 3.0 [archive] with attribution required [archive].

Full Disk Encryption within the Virtual Machine[edit]

When using FDE within the VM, never save (suspend/pause) the VM machine state, but instead shut it down completely. If this advice is ignored, the saved machine state could be stored outside of the encrypted image. This includes a RAM dump, which contains the encryption key required to decrypt the image. Upon resuming the VM, that stored file is not necessarily securely deleted, since it is virtualizer-specific.

While the VM is running, the host system's sleep, suspend, or hibernate functions should not be used. Similar to the first scenario, these actions leave a RAM dump on disk, but this time it belongs to the host. This also contains sensitive data, such as encryption keys.

Virtual Machine Files in an Encrypted Container[edit]

VM files can also be stored in an encrypted container, such as a LUKS container. Newer and native support for LUKS encryption of disk images is available as of libvirt 2.10 [1] The same precautions should be taken as outlined in the previous section, as the risks equally apply.

FDE within the VM, LUKS encrypted containers for VM images, and FDE on the host can all be used independently, or in conjunction. However, increasing the layers of encryption may begin to significantly degrade performance. End modified quote by Iszi.

Other Security Considerations[edit]

Encryption is an area with many pitfalls; consider the following additional risks.

Table: Additional Encryption Risks

Category Description
Memory Dumps These are caused by Blue Screen of Death (BSOD) or kernel crashes and can leave unintended traces on the host; see Core Dumps.
Powered-down VMs After a VM has shutdown, the RAM that previously contained the VM's encryption key might not have been wiped yet. Memory pages belonging to a terminated process do not have their contents wiped (zeroed) until they are about to be used by another process. [2] [3] [4] [5]
Swap An encrypted swap provides no protection so long as the host is powered up, because the key is still in RAM. Disabling swap requires a special, secure wiping of the existing swap -- it is far safer to have never used swap before.
Virtualizer-specific Issues
  • KVM: It is not expected that KVM guests could access data from other process' memory pages via memory ballooning [archive], since KVM guests are Linux processes and subject to Linux memory allocation rules. [6]
  • VirtualBox: In the case of VirtualBox, the file could end up in the folder ~/.virtualbox. A definitive answer requires further research.
  • Xen: Memory ballooning in Xen creates privacy concerns because when it is enabled the memory contents of other VMs are exposed. [7]

Open Security Research Questions[edit]

The following questions and configurations require further research:

  • With swap and crash dumps disabled, it is unknown whether the virtualizer writes parts of the VM's RAM contents to the disk. TODO: Specifically ask virtualizer vendors about this possibility.
  • Potential setup configurations:
    • Theoretically, a fully encrypted operating system (currently: Debian) could be installed inside a VM and Whonix ™ could be built using --target root inside another VM. This is analogous to the physical isolation model, but secure VM settings would be missing (similar to Manually Create Whonix ™ VM Settings).
    • An encryption feature could be added to grml-debootstrap [archive] [8] [9] and/or the Whonix ™ build script. There was an attempt [archive] to do that, but this effort has stalled.
    • cryptsetup-reencrypt [archive] could be used, allowing for the shipping of encrypted Whonix ™ images. The master key and the password (potentially blank) would be known to the public at first. Later on, cryptsetup-reencrypt would be used to fix the master key and password, that is, to make the encryption effective.


The host of security considerations suggest that an unrealistic set of operational rules are required to defend the integrity of a purely encrypted guest image. Use of Full Disk Encryption is recommended instead.

For further information about encrypted images, see How Useful is In-Guest Encryption? [archive] Readers interested in running Whonix ™ as a live OS should refer to VM Live Mode and Host Live Mode.


  1. [archive]
  2. [archive]

    Linux zeroes out (i.e. fills with zeros) all pages of memory not when they are released, but when they are given to another process. Thus, no process may obtain data excerpts from another process. However, the pages will retain their old contents until they are reused.

  3. [archive]
  4. [archive]
  5. The threat is similar to cold boot attacks, but in this case it might even be a "warm" attack, because under this threat model, the machine and RAM is still powered. PAX_MEMORY_SANITIZE [archive] and its KSPP successor [archive] may mitigate this, but at the cost of a non-trivial performance hit.
  6. [archive]

    Memory ballooning is a memory management feature used in most virtualization platforms which allows a host system to artificially enlarge its pool of memory by taking advantage or reclaiming unused memory previously allocated to various virtual machines.

  7. [archive]

    Xen explicitly assigns dedicated memory regions to instances and scrubs data upon the destruction of instances (or domains in Xen parlance). KVM depends more greatly on Linux page management; A complex set of rules related to KVM paging is defined in the KVM documentation. It is important to note that use of the Xen memory balloon feature is likely to result in information disclosure. We strongly recommended to avoid use of this feature.

  8. Whonix ™ build script is a user [archive] of grml-debootstrap.

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Encrypted Images&body= link= Images link= Images link= Images%20 Images

There are five different options for subscribing to Whonix ™ source code changes.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.