| 1 | <?xml version='1.0' encoding='UTF-8'?>
|
|---|
| 2 | <!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
|
|---|
| 3 | <topic xml:lang="en-us" id="diskencryption-limitations">
|
|---|
| 4 | <title>Limitations of Disk Encryption</title>
|
|---|
| 5 |
|
|---|
| 6 | <body>
|
|---|
| 7 | <p>
|
|---|
| 8 | There are some limitations the user needs to be aware of when
|
|---|
| 9 | using this feature:
|
|---|
| 10 | </p>
|
|---|
| 11 | <ul>
|
|---|
| 12 | <li>
|
|---|
| 13 | <p>
|
|---|
| 14 | This feature is part of the <ph conkeyref="vbox-conkeyref-phrases/vbox-ext"/>,
|
|---|
| 15 | which needs to be installed. Otherwise disk encryption is
|
|---|
| 16 | unavailable.
|
|---|
| 17 | </p>
|
|---|
| 18 | </li>
|
|---|
| 19 | <li>
|
|---|
| 20 | <p>
|
|---|
| 21 | Since encryption works only on the stored user data, it is
|
|---|
| 22 | currently not possible to check for metadata integrity of
|
|---|
| 23 | the disk image. Attackers might destroy data by removing or
|
|---|
| 24 | changing blocks of data in the image or change metadata
|
|---|
| 25 | items such as the disk size.
|
|---|
| 26 | </p>
|
|---|
| 27 | </li>
|
|---|
| 28 | <li>
|
|---|
| 29 | <p>
|
|---|
| 30 | Exporting appliances which contain encrypted disk images is
|
|---|
| 31 | not possible because the OVF specification does not support
|
|---|
| 32 | this. All images are therefore decrypted during export.
|
|---|
| 33 | </p>
|
|---|
| 34 | </li>
|
|---|
| 35 | <li>
|
|---|
| 36 | <p>
|
|---|
| 37 | The DEK is kept in memory while the VM is running to be able
|
|---|
| 38 | to decrypt data read and encrypt data written by the guest.
|
|---|
| 39 | While this should be obvious the user needs to be aware of
|
|---|
| 40 | this because an attacker might be able to extract the key on
|
|---|
| 41 | a compromised host and decrypt the data.
|
|---|
| 42 | </p>
|
|---|
| 43 | </li>
|
|---|
| 44 | <li>
|
|---|
| 45 | <p>
|
|---|
| 46 | When encrypting or decrypting the images, the password is
|
|---|
| 47 | passed in clear text using the <ph conkeyref="vbox-conkeyref-phrases/product-name"/> API. This
|
|---|
| 48 | needs to be kept in mind, especially when using third party
|
|---|
| 49 | API clients which make use of the webservice where the
|
|---|
| 50 | password might be transmitted over the network. The use of
|
|---|
| 51 | HTTPS is mandatory in such a case.
|
|---|
| 52 | </p>
|
|---|
| 53 | </li>
|
|---|
| 54 | <li>
|
|---|
| 55 | <p>
|
|---|
| 56 | Encrypting images with differencing images is only possible
|
|---|
| 57 | if there are no snapshots or a linear chain of snapshots.
|
|---|
| 58 | This limitation may be addressed in a future <ph conkeyref="vbox-conkeyref-phrases/product-name"/>
|
|---|
| 59 | version.
|
|---|
| 60 | </p>
|
|---|
| 61 | </li>
|
|---|
| 62 | <li>
|
|---|
| 63 | <p>
|
|---|
| 64 | The disk encryption feature can protect the content of the
|
|---|
| 65 | disks configured for a VM only. It does not cover any other
|
|---|
| 66 | data related to a VM, including saved state or the
|
|---|
| 67 | configuration file itself.
|
|---|
| 68 | </p>
|
|---|
| 69 | </li>
|
|---|
| 70 | </ul>
|
|---|
| 71 | </body>
|
|---|
| 72 |
|
|---|
| 73 | </topic>
|
|---|
