Encrypted VM Images

From Kicksecure
Jump to navigation Jump to search

About this Encrypted Images Page
Contributor maintained wiki page.
Support Status stable
Difficulty easy
Contributor HulaHooparchive.org
Support Support

Full Disk Encryption (FDE) VM images are virtual machine images that have been encrypted with a full disk encryption mechanism. This article examines whether Full Disk Encryption (FDE) is a beneficial and secure method for safeguarding data stored in local virtual machines or cloud computing environments by exploring its advantages and security implications.

Encrypted Guest Images[edit]

Info This encrypted images chapter:

  • applies when using Kicksecure inside VMs.
  • is mostly theoretical at this point, because it contains numerous open research questions and is currently unsupported.

The greatest security benefit comes from applying full disk encryption (FDE) on the host because that is the only place where it is most effective. Nevertheless, for the interested reader this section makes recommendations to deal with the following threat model:

  • The host is running when an adversary gets access to it, or the host is unencrypted.
  • The VM is powered down (otherwise the adversary would already have access to it).

The following security considerations are based on modified quotes by Isziarchive.org from the answer posted on security.stackexchange.comarchive.org, which was a user contribution to stackexchange, licensed under cc by-sa 3.0archive.org with attribution requiredarchive.org.

Full Disk Encryption within the Virtual Machine[edit]

When using FDE within the VM, never save (suspend/pause) the VM machine state, but instead shut it down completely. If this advice is ignored, the saved machine state could be stored outside of the encrypted image. This includes a RAM dump, which contains the encryption key required to decrypt the image. Upon resuming the VM, that stored file is not necessarily securely deleted, since it is virtualizer-specific.

While the VM is running, the host system's sleep, suspend, or hibernate functions should not be used. Similar to the first scenario, these actions leave a RAM dump on disk, but this time it belongs to the host. This also contains sensitive data, such as encryption keys.

Virtual Machine Files in an Encrypted Container[edit]

VM files can also be stored in an encrypted container, such as a LUKS container. Newer and native support for LUKS encryption of disk images is available as of libvirt 2.10 [1] The same precautions should be taken as outlined in the previous section, as the risks equally apply.

FDE within the VM, LUKS encrypted containers for VM images, and FDE on the host can all be used independently, or in conjunction. However, increasing the layers of encryption may begin to significantly degrade performance. End modified quote by Iszi.

Other Security Considerations[edit]

Encryption is an area with many pitfalls; consider the following additional risks.

Table: Additional Encryption Risks

Category Description
Memory Dumps These are caused by Blue Screen of Death (BSOD) or kernel crashes and can leave unintended traces on the host; see Core Dumps.
Powered-down VMs After a VM has shutdown, the RAM that previously contained the VM's encryption key might not have been wiped yet. Memory pages belonging to a terminated process do not have their contents wiped (zeroed) until they are about to be used by another process. [2] [3] [4] [5]
Swap An encrypted swap provides no protection so long as the host is powered up, because the key is still in RAM. Disabling swap requires a special, secure wiping of the existing swap -- it is far safer to have never used swap before.
Virtualizer-specific Issues
  • KVM: It is not expected that KVM guests could access data from other process' memory pages via memory ballooningarchive.org, since KVM guests are Linux processes and subject to Linux memory allocation rules. [6]
  • VirtualBox: In the case of VirtualBox, the file could end up in the folder ~/.virtualbox. A definitive answer requires further research.
  • Xen: Memory ballooning in Xen creates privacy concerns because when it is enabled the memory contents of other VMs are exposed. [7]

Open Security Research Questions[edit]

The following questions require further research:

  • With swap and crash dumps disabled, it is unknown whether the virtualizer writes parts of the VM's RAM contents to the disk. TODO: Specifically ask virtualizer vendors about this possibility.

Encrypted Images Setup[edit]

Installing Debian inside a VM first including full disk encryption (FDE) and using Distribution Morphing to morph Debian into Kicksecure and result in an encrypted Kicksecure VM image.

Potential Future Development[edit]

This is mostly theoretic and very most likely will not happen unless a volunteer contributes it which seems very unlikely.

  • An encryption feature could be added to grml-debootstraparchive.org [8] [9] and/or the Kicksecure build script. There was an attemptarchive.org to do that, but this effort has stalled.
  • cryptsetup-reencryptarchive.org could be used, allowing for the shipping of encrypted Kicksecure images. The master key and the password (potentially blank) would be known to the public at first. Later on, cryptsetup-reencrypt would be used to fix the master key and password, that is, to make the encryption effective.

Conclusion[edit]

The host of security considerations suggest that an unrealistic set of operational rules are required to defend the integrity of a purely encrypted guest image. Use of Full Disk Encryption (FDE) is recommended instead.

For further information about encrypted images, see How Useful is In-Guest Encryption?archive.org Readers interested in running Kicksecure as a live OS should refer to Live Mode.

See Also[edit]

Footnotes[edit]

  1. https://libvirt.org/formatstorageencryption.html#StorageEncryptionLuksarchive.org
  2. https://security.stackexchange.com/questions/42179/is-there-any-linux-distro-or-kernel-patch-that-wipes-a-process-memory-space-afte/42186#42186archive.org

    Linux zeroes out (i.e. fills with zeros) all pages of memory not when they are released, but when they are given to another process. Thus, no process may obtain data excerpts from another process. However, the pages will retain their old contents until they are reused.

  3. https://superuser.com/questions/894463/does-linux-zero-memory-released-by-applications/894936#894936archive.org
  4. https://askubuntu.com/questions/721084/linux-overwriting-ram-with-zeroes-on-free/721207#721207archive.org
  5. The threat is similar to cold boot attacks, but in this case it might even be a "warm" attack, because under this threat model, the machine and RAM is still powered. PAX_MEMORY_SANITIZEarchive.org and its KSPP successorarchive.org may mitigate this, but at the cost of a non-trivial performance hit.
  6. https://www.techopedia.com/definition/30466/memory-ballooningarchive.org

    Memory ballooning is a memory management feature used in most virtualization platforms which allows a host system to artificially enlarge its pool of memory by taking advantage or reclaiming unused memory previously allocated to various virtual machines.

  7. https://docs.openstack.org/security-guide/tenant-data/data-privacy-concerns.htmlarchive.org

    Xen explicitly assigns dedicated memory regions to instances and scrubs data upon the destruction of instances (or domains in Xen parlance). KVM depends more greatly on Linux page management; A complex set of rules related to KVM paging is defined in the KVM documentation. It is important to note that use of the Xen memory balloon feature is likely to result in information disclosure. We strongly recommended to avoid use of this feature.

  8. Kicksecure build script is a user build-steps.d/*_create-raw-image of grml-debootstrap.

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!