|About this Encrypted Images Page|
This wiki page is maintained by a contributor.
Encrypted Guest Images
- applies when using Kicksecure ™ inside VMs.
- is mostly theoretical at this point, because it contains numerous open research questions and is currently unsupported.
The greatest security benefit comes from applying full disk encryption (FDE) on the host because that is the only place where it is most effective. Nevertheless, for the interested reader this section makes recommendations to deal with the following threat model:
- The host is running when an adversary gets access to it, or the host is unencrypted.
- The VM is powered down (otherwise the adversary would already have access to it).
The following security considerations are based on modified quotes by Iszi from the answer posted on security.stackexchange.com, which was a user contribution to stackexchange, licensed under cc by-sa 3.0 with attribution required.
Full Disk Encryption within the Virtual Machine
When using FDE within the VM, never save (suspend/pause) the VM machine state, but instead shut it down completely. If this advice is ignored, the saved machine state could be stored outside of the encrypted image. This includes a RAM dump, which contains the encryption key required to decrypt the image. Upon resuming the VM, that stored file is not necessarily securely deleted, since it is virtualizer-specific.
While the VM is running, the host system's sleep, suspend, or hibernate functions should not be used. Similar to the first scenario, these actions leave a RAM dump on disk, but this time it belongs to the host. This also contains sensitive data, such as encryption keys.
Virtual Machine Files in an Encrypted Container
VM files can also be stored in an encrypted container, such as a LUKS container. Newer and native support for LUKS encryption of disk images is available as of libvirt 2.10  The same precautions should be taken as outlined in the previous section, as the risks equally apply.
FDE within the VM, LUKS encrypted containers for VM images, and FDE on the host can all be used independently, or in conjunction. However, increasing the layers of encryption may begin to significantly degrade performance. End modified quote by Iszi.
Other Security Considerations
Encryption is an area with many pitfalls; consider the following additional risks.
Table: Additional Encryption Risks
|Memory Dumps||These are caused by Blue Screen of Death (BSOD) or kernel crashes and can leave unintended traces on the host; see Core Dumps.|
|Powered-down VMs||After a VM has shutdown, the RAM that previously contained the VM's encryption key might not have been wiped yet. Memory pages belonging to a terminated process do not have their contents wiped (zeroed) until they are about to be used by another process.    |
|Swap||An encrypted swap provides no protection so long as the host is powered up, because the key is still in RAM. Disabling swap requires a special, secure wiping of the existing swap -- it is far safer to have never used swap before.|
Open Security Research Questions
The following questions require further research:
- With swap and crash dumps disabled, it is unknown whether the virtualizer writes parts of the VM's RAM contents to the disk. TODO: Specifically ask virtualizer vendors about this possibility.
Encrypted Images Setup
Potential Future Development
This is mostly theoretic and very most likely will not happen unless a volunteer contributes it which seems very unlikely.
- An encryption feature could be added to
grml-debootstrap  and/or the Kicksecure ™ build script. There was an attempt to do that, but this effort has stalled.
- cryptsetup-reencrypt could be used, allowing for the shipping of encrypted Kicksecure ™ images. The master key and the password (potentially blank) would be known to the public at first. Later on,
cryptsetup-reencryptwould be used to fix the master key and password, that is, to make the encryption effective.
The host of security considerations suggest that an unrealistic set of operational rules are required to defend the integrity of a purely encrypted guest image. Use of Full Disk Encryption (FDE) is recommended instead.
Linux zeroes out (i.e. fills with zeros) all pages of memory not when they are released, but when they are given to another process. Thus, no process may obtain data excerpts from another process. However, the pages will retain their old contents until they are reused.
- The threat is similar to cold boot attacks, but in this case it might even be a "warm" attack, because under this threat model, the machine and RAM is still powered. PAX_MEMORY_SANITIZE and its KSPP successor may mitigate this, but at the cost of a non-trivial performance hit.
Memory ballooning is a memory management feature used in most virtualization platforms which allows a host system to artificially enlarge its pool of memory by taking advantage or reclaiming unused memory previously allocated to various virtual machines.
Xen explicitly assigns dedicated memory regions to instances and scrubs data upon the destruction of instances (or domains in Xen parlance). KVM depends more greatly on Linux page management; A complex set of rules related to KVM paging is defined in the KVM documentation. It is important to note that use of the Xen memory balloon feature is likely to result in information disclosure. We strongly recommended to avoid use of this feature.
Kicksecure ™ build script is a user of