-5

Is it possible to encrypt a virtual machine using virtualbox, and not leave accessible to the users of the machine where it hosted, and not allow any file to be extracted it with some program ?

The scenario is that I need to allocate a java web project on a customer where the internet access is very limited. Today this project runs on a cloud server,but for certain customers we need to install the application locally due the internet limitation problems, thats why I need to protect my application.

lucianovcnt
  • 25
  • 1
  • 1
  • 4
  • 1
    Can you provide some context please? Will this be on a remote server where reboots can be unattended, or will you have local access to it and be able to type some password on each system reboot? – TildalWave May 23 '13 at 14:50
  • @TildalWave If you read his other question(s), he's attempting to allow customers to run a Java web application on their own hosts, and he's trying to prevent reverse-engineering. – Xander May 23 '13 at 14:52
  • 1
    @Xander Ahaaa... well, that's not happening. – Adi May 23 '13 at 14:52
  • 1
    @Xander - I have and I understand this, thus my comment to Adnan in DMZ, but OP should learn to include relevant information in his questions. So far, all three he posted required a lot of supervision, which is less than ideal. It also makes the question vague and difficult to extract its intended meaning to other readers that didn't follow-up on other OP's questions. ;) – TildalWave May 23 '13 at 14:55
  • @TildalWave - The scenario is that I need to allocate a java web project on a customer where the internet access is very limited. Today this project runs on a cloud server,but for certain customers we need to install the application locally due the internet limitation problems, thats why I need to protect my application. – lucianovcnt May 23 '13 at 15:10
  • 1
    @lucianovcnt - Please [add information to your question](http://security.stackexchange.com/posts/36393/edit) that you believe is relevant and might help in answering it. As it stands now, your question is rather vague and as such not very helpful to future readers. Thank you! – TildalWave May 23 '13 at 15:13
  • This a horrible vague question that needs a lot of work. – Ramhound May 24 '13 at 00:59
  • @lucianovcnt One workable solution is to provide your application on a computer appliance, ie. an integrated set of hardware and system software to which the customer has limited access. The typical approach will be to run your software in virtual machines (virtual appliances) on the computer appliance. The hardware could be anything from the $50 Raspberry Pi to the $68,000 Oracle ODA HA Virtual Platform or larger. As a resident slogan says - The flexibility and convenience of SaaS, comfortably behind your own firewall - for when you need the cloud to come to your house^h^h^h^h^h^h datacenter – Roy Jul 19 '16 at 09:00

2 Answers2

2

Install TrueCrypt on your virtual machine and setup Full-Disk Encryption (you don't need anything after step 11). That way whoever boots that VM will have to enter a password, and nobody will be able to extract data from it.

As Tinned_Tuna has mentioned, it's important to limit access to the host machine, as someone could easily install a keylogger to steal the password, or could dump the memory of the VM and extract the decryption key.

Update:

Okay, now that I checked your other questions, it seems that you're attempting something that isn't quite possible.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • 2
    Not quite, any one on the host machine running with sufficient privileges will be able to attach a debugger to the VM's process and read out the contents of the VM's RAM. – Tinned_Tuna May 23 '13 at 14:42
  • @Adnan Using these mentioned features, is it possible to access the virtual machine using ssh from another machine? – lucianovcnt May 23 '13 at 14:45
  • 2
    @Tinned_Tuna and someone could install a keylogger to steal the password when the OP wants to boot his machine, also someone could install a hardware keylogger to steal the password. Actually, someone could replace the whole VirtualBox with a fake one that specifically tricks the user into entering the password. I think the point here is that access should be limited to the host machine. I'll add that to the answer. – Adi May 23 '13 at 14:48
1

Yes, it is possible. You encrypt the whole partition so that a master password is needed at boot.

Things to consider:

  • it will still be possible (not easy) to access the virtual machine's "virtual RAM", and in some cases also modify it, in a version of the "cold boot attack". Systems that are invulnerable to CBA are being studied, but these results will likely not affect VMs, where a suspended machine state attack will still be possible.
  • it will be possible, if difficult (through #1) to force entry through e.g. file sharing; so you will want to have it disabled or uninstalled, and the various communication channels properly secured.
  • the VM now requires someone knowing the master password at boot (think downtime). By knowing this password, it is possible to mount the VM as an external volume, thereby accessing the data.
  • the virtual machine's FS is now encrypted, which makes it incompressible. This may or may not have undesirable consequences (e.g. for backups).
  • some encryption strategies sanitize the disk by filling it with random data, which not only is incompressible, but may trigger disk growth. For example if you have designed a growable disk "up to 1TB" just in case, and are now contented by using five or six gigs, be aware that encrypting the partition might now require an additional terabyte of disk space on the host machine, unless you shrink the virtual partition first.
LSerni
  • 22,521
  • 4
  • 51
  • 60