Will storing files inside a VM be more of a secure location?

sram

[H]ard|Gawd
Joined
Jul 30, 2007
Messages
1,699
Sometimes you have files that are not very sensitive and you don't want to encrypt them and go into the trouble of decrypting them every time you need to view or work with them. So, will it be more secure for the files to be put inside a virtual machine and work with it only from inside the virtual machine? I understand that if the VM is up and running, it will just be another box in your network and it can be hacked into the same way your host or main machine can be hacked into, but I'm asking this question since the VM will be off most of the time, so it will less exposure to the internet.

Are there forensics tools to extract data files VM images or files? I suspect there is.

I'm asking because I"m thinking it will be harder for an attacker to reach such files if the virtualization software is off in the host.....Am I right with this line of thinking?
 
A virtual machine's storage device is just a file on the host. There's nothing stopping someone from downloading that file and loading it up in a VM of their own to see what's in it.

Yeah but the VM file will be too huge (~ 2-4 GB) to download very quickly when you are only putting your eyes on a small text file.
 
If the bad person knows what system you use to run the VM's, then other then size, it will offer little security. With cheap pocket-able drives easily able to hold the VM file, anyone with physical access to a VM server can easily copy off the VM files. One downside to the ever increasing speeds of USB ports is the ease and speed of copying off files to ever physically smaller portable storage gizmos.

If they can remote in to the VM server, you have larger security issues.

Probably easier to buy a small safe and portable drive. Likely not much time difference between opening the safe and connecting the drive and firing up the VM server followed by the VM itself.
 
If the bad person knows what system you use to run the VM's, then other then size, it will offer little security. With cheap pocket-able drives easily able to hold the VM file, anyone with physical access to a VM server can easily copy off the VM files. One downside to the ever increasing speeds of USB ports is the ease and speed of copying off files to ever physically smaller portable storage gizmos.

If they can remote in to the VM server, you have larger security issues.

Probably easier to buy a small safe and portable drive. Likely not much time difference between opening the safe and connecting the drive and firing up the VM server followed by the VM itself.

Still a hassle, but I see your point. It might be worth it to get a low-spec machine and make it isolated or air-gaped if you want to call it that and manage those sensitive files in there. Thanks buddy.
 
Are there forensics tools to extract data files VM images or files? I suspect there is.

Yes. A VM is not a secure container in of itself. There is also forensic software that will allow me to boot a captured forensic image.
 
Not more secure no.

A bigger hassle - maybe, but with computers it's trivial. But hassle =/= security (although the reverse certainly feels like it)

Dead Parrot is right - an offline VM is not a lot different than just removable storage, and less secure since the VM storage file is still available even if the VM isn't powered on. At least a removable drive will be powered off and 100% non-accessible remotely while it's not plugged in.

Why not just use whole drive encryption? Even if you don't do your entire computer you could do a partition or second drive/removable drive.
 
Not more secure no.

A bigger hassle - maybe, but with computers it's trivial. But hassle =/= security (although the reverse certainly feels like it)

Dead Parrot is right - an offline VM is not a lot different than just removable storage, and less secure since the VM storage file is still available even if the VM isn't powered on. At least a removable drive will be powered off and 100% non-accessible remotely while it's not plugged in.

Why not just use whole drive encryption? Even if you don't do your entire computer you could do a partition or second drive/removable drive.

How does it work with whole disk encryption? If the files are closed, an attacker may be able to reach them but he won't be able to decrypt them and see their contents (unless they are open of course and loaded into memory) ? I'm not sure but I thought when the legitimate user is logged in, all files are already decrypted. Right or wrong? Not sure how full disk encryption work although I have used truecrypt very briefly in the past.
 
just encrypt the disk when you install the guess OS. its just a checkbox in the linux installation. then when it boots you have to enter the separate key. they can do whatever they want with the vm files but the disk will still be encrypted.

if you really wanted to get fancy and really convenient you could spin up a cloud server and disable all auth except for using ssh keys. they use winscp or map it as a remote directory... you wont have to copy any files locally, you can edit them directly over the ssh connection. lock down the source IPs to your home or VPN exit of choise. keep the key on a usb or something. no one is going through the trouble to crack that.

more likely youll screw it up or lose something and lock yourself out.
 
  • Like
Reactions: sram
like this
98403265-4301-4A97-A97F-3505681198F2.png

That being said, just set up an encrypted file container with Veracrypt, and use something like a Yubikey (stored password + known secret you add to the front or back of the stored password) to generate your encryption key and give you easy secure access. This is the simplest thing I can think of to accomplish what you want.

Throw a usb drive storing your file container and a portable copy of Veracrypt on your key ring with your Yubikey and take it with you everywhere. Name your encrypted file container “temp” and put a bunch of other random shit on your thumb drive if you want to make it harder for a casual person to notice it (assuming it’s only going to be a few MB, you said text files). Hell, use one of the random files as a key file in addition to your Yubikey method if you are really really paranoid. You can do exotic things with Veracrypt beyond that if you want.

If anyone goes through the trouble of trying to break into that, you probably should have been using Mr Robot / Ed Snowden levels of paranoia / security to hide your stuff (Qubes OS on an old ThinkPad which you’ve replaced the bios with Coreboot, airgapped, etc).

If someone has physical access to your computer you’ve already lost any ability to hide something if they are intent on discovering your secret.
 
Last edited:
A stand alone non network non wifi PC sounds like a good option for you. Might even get an old heavy vertical case that will hold 10+ drives. Install your minimal spec computer hardware inside. The size and weight will deter spur of the moment theft, unlike a cute looking small cheap laptop. Implement whatever physical security is warranted. Could load it up with several dead hard drives for extra theft deterring weight.
 
just encrypt the disk when you install the guess OS. its just a checkbox in the linux installation. then when it boots you have to enter the separate key. they can do whatever they want with the vm files but the disk will still be encrypted.

if you really wanted to get fancy and really convenient you could spin up a cloud server and disable all auth except for using ssh keys. they use winscp or map it as a remote directory... you wont have to copy any files locally, you can edit them directly over the ssh connection. lock down the source IPs to your home or VPN exit of choise. keep the key on a usb or something. no one is going through the trouble to crack that.

more likely youll screw it up or lose something and lock yourself out.


Oh I see, you mean use full disk encryption for the VM and then use it as a secure place for such files. I was thinking about full disk encryption for the host. That's actually smart! I like it. I can use one of the best linux distributions out there (at least according to me) that is the Parrot OS. It is similar to Kali linux in terms of putting together pen testing software in one place but it also considers user security and privacy. You can even use anonymous browsing with a click of a button. How did I miss that. Really coooool, I'm going to do it shortly. Many thanks dude.
 
View attachment 177947

That being said, just set up an encrypted file container with Veracrypt, and use something like a Yubikey (stored password + known secret you add to the front or back of the stored password) to generate your encryption key and give you easy secure access. This is the simplest thing I can think of to accomplish what you want.

Throw a usb drive storing your file container and a portable copy of Veracrypt on your key ring with your Yubikey and take it with you everywhere. Name your encrypted file container “temp” and put a bunch of other random shit on your thumb drive if you want to make it harder for a casual person to notice it (assuming it’s only going to be a few MB, you said text files). Hell, use one of the random files as a key file in addition to your Yubikey method if you are really really paranoid. You can do exotic things with Veracrypt beyond that if you want.

If anyone goes through the trouble of trying to break into that, you probably should have been using Mr Robot / Ed Snowden levels of paranoia / security to hide your stuff (Qubes OS on an old ThinkPad which you’ve replaced the bios with Coreboot, airgapped, etc).

If someone has physical access to your computer you’ve already lost any ability to hide something if they are intent on discovering your secret.

Amazing tips, thanks. But I think using full disk encryption for a VM is less hassle, and it will be sufficient for me.
 
Back
Top