Actions

Encrypted Images

About this Encrypted Images Page
Support Status stable
Difficulty easy
Maintainer HulaHoop
Support Support

Encrypted Guest Images[edit]


The greatest security benefit comes from applying full disk encryption on the host because that is the only place where it is most effective. Nevertheless, for the interested reader this section makes recommendations to deal with the following threat model:

  • The host is running when an adversary gets access to it, or the host is unencrypted.
  • The VM is powered down (otherwise the adversary would already have access to it).

The following security considerations are based on modified quotes by Iszi from the answer posted on security.stackexchange.com, which was a user contribution to stackexchange, licensed under cc by-sa 3.0 with attribution required.

Full Disk Encryption within the Virtual Machine[edit]

When using FDE within the VM, never save (suspend/pause) the VM machine state, but instead shut it down completely. If this advice is ignored, the saved machine state could be stored outside of the encrypted image. This includes a RAM dump, which contains the encryption key required to decrypt the image. Upon resuming the VM, that stored file is not necessarily securely deleted, since it is virtualizer-specific.

While the VM is running, users should not use the host system's sleep, suspend, or hibernate functions. Similar to the first scenario, these actions leave a RAM dump on disk, but this time it belongs to the host. This also contains sensitive data, such as encryption keys.

Virtual Machine Files in an Encrypted Container[edit]

VM files can also be stored in an encrypted container, such as a LUKS container. Newer and native support for LUKS encryption of disk images is available as of libvirt 2.10 [1] The same precautions should be taken as outlined in the previous section, as the risks equally apply.

FDE within the VM, LUKS encrypted containers for VM images, and FDE on the host can all be used independently, or in conjunction. However, increasing the layers of encryption may begin to significantly degrade performance. End modified quote by Iszi.

Other Security Considerations[edit]

Encryption is an area with many pitfalls; consider the following additional risks.

Table: Additional Encryption Risks

Category Description
Memory Dumps These are caused by Blue Screen of Death (BSOD) or kernel crashes and can leave unintended traces on the host; see Core Dumps.
Powered-down VMs After a VM has shutdown, the RAM that previously contained the VM's encryption key might not have been wiped yet. Memory pages belonging to a terminated process do not have their contents wiped (zeroed) until they are about to be used by another process. [2] [3] [4] [5]
Swap An encrypted swap provides no protection so long as the host is powered up, because the key is still in RAM. Disabling swap requires a special, secure wiping of the existing swap -- it is far safer to have never used swap before.
Virtualizer-specific Issues
  • KVM: It is not expected that KVM guests could access data from other process' memory pages via memory ballooning, since KVM guests are Linux processes and subject to Linux memory allocation rules. [6]
  • VirtualBox: In the case of VirtualBox, the file could end up in the folder ~/.virtualbox. A definitive answer requires further research.
  • Xen: Memory ballooning in Xen creates privacy concerns because when it is enabled the memory contents of other VMs are exposed. [7]

Open Security Research Questions[edit]

The following questions and configurations require further research:

  • With swap and crash dumps disabled, it is unknown whether the virtualizer writes parts of the VM's RAM contents to the disk. TODO: Specifically ask virtualizer vendors about this possibility.
  • Potential setup configurations:
    • Theoretically, a fully encrypted operating system (currently: Debian) could be installed inside a VM and Whonix ™ could be built using --target root inside another VM. This is analogous to the physical isolation model, but secure VM settings would be missing (similar to Manually Create Whonix ™ VM Settings).
    • An encryption feature could be added to grml-debootstrap [8] [9] and/or the Whonix ™ build script. There was an attempt to do that, but this effort has stalled.
    • cryptsetup-reencrypt could be used, allowing for the shipping of encrypted Whonix ™ images. The master key and the password (potentially blank) would be known to the public at first. Later, users would use cryptsetup-reencrypt to fix the master key and password, that is, to make the encryption effective.

Conclusion[edit]

The host of security considerations suggest that an unrealistic set of operational rules are required to defend the integrity of a purely encrypted guest image. Use of Full Disk Encryption is recommended instead.

For further information about encrypted images, see How Useful is In-Guest Encryption? Users interested in running Whonix ™ as a live OS should read Whonix Live. [10]

Footnotes[edit]

  1. https://libvirt.org/formatstorageencryption.html#StorageEncryptionLuks
  2. https://security.stackexchange.com/a/42186

    Linux zeroes out (i.e. fills with zeros) all pages of memory not when they are released, but when they are given to another process. Thus, no process may obtain data excerpts from another process. However, the pages will retain their old contents until they are reused.

  3. https://superuser.com/a/894936
  4. https://askubuntu.com/a/721207
  5. The threat is similar to cold boot attacks, but in this case it might even be a "warm" attack, because under this threat model, the machine and RAM is still powered. PAX_MEMORY_SANITIZE and its KSPP successor may mitigate this, but at the cost of a non-trivial performance hit.
  6. https://www.techopedia.com/definition/30466/memory-ballooning

    Memory ballooning is a memory management feature used in most virtualization platforms which allows a host system to artificially enlarge its pool of memory by taking advantage or reclaiming unused memory previously allocated to various virtual machines.

  7. https://docs.openstack.org/security-guide/tenant-data/data-privacy-concerns.html

    Xen explicitly assigns dedicated memory regions to instances and scrubs data upon the destruction of instances (or domains in Xen parlance). KVM depends more greatly on Linux page management; A complex set of rules related to KVM paging is defined in the KVM documentation. It is important to note that use of the Xen memory balloon feature is likely to result in information disclosure. We strongly recommended to avoid use of this feature.

  8. Whonix ™ build script is a user of grml-debootstrap.
  9. Live OS systems are designed to not leave traces of user activity on disk.

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Love Whonix and want to help spread the word? You can start by telling your friends or posting news about Whonix on your website, blog or social media.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.