You are not logged in.

#1 2019-03-06 14:12:48

hschletz
Member
Registered: 2019-03-06
Posts: 2

OpenSSL update broke VirtualBox disk encryption

Hello,

The recent OpenSSL updates (1.1.1.a-1 -> 1.1.1.b-1 and 1.0.2.q-1 -> 1.0.2.r-1) broke Virtualbox disk encryption.

Today one of my VirtualBox VMs started to fail, which had worked 2 days before. I could boot, but the disks were effectively readonly. dmesg output inside the VM showed lots of AHCI errors, accompanied by other messages in the VirtualBox log. No problems were observed on the host side. Other VMs on the same host worked fine, as well as the same VM on a different host.

I exported and re-imported the VM, and it worked again. When I tried to re-enable disk encryption, i found the problem:

# vboxmanage encryptmedium VirtualBox\ VMs/vmname/vmname.vdi --newpassword - --cipher AES-XTS256-PLAIN64 --newpasswordid something
Enter new password:
0%...
Progress state: VBOX_E_INVALID_OBJECT_STATE
VBoxManage: error: Failed to encrypt hard disk
VBoxManage: error: Failed to load the encryption filter:  (VERR_CR_CIPHER_OSSL_ENCRYPT_FINAL_FAILED)
VBoxManage: error: Details: code VBOX_E_INVALID_OBJECT_STATE (0x80bb0007), component MediumWrap, interface IMedium
VBoxManage: error: Context: "RTEXITCODE handleEncryptMedium(HandlerArg*)" at line 1930 of file VBoxManageDisk.cpp

Same problem with AES-XTS128-PLAIN64. According to the Virtualbox documentation, no other ciphers are supported.

Downgrading the OpenSSL packages and rebooting fixed the issue. This is of course not a real solution.

Are the mentioned ciphers no longer supported by OpenSSL, or is this a bug? Can VirtualBox use different ciphers?

Offline

#2 2019-03-14 20:48:10

alanaktion
Member
Registered: 2016-03-04
Posts: 2
Website

Re: OpenSSL update broke VirtualBox disk encryption

I'm experiencing the exact same issue, with both new and existing machines, including the weird semi-read-only state. I haven't seen anything similar to this on the VirtualBox bug tracker (no issues related to openssl for a few years), but it definitely seems like a bug. OpenSSL's changelog doesn't mention anything about a deprecation or any breaking changes that seem related to me.

Edit: I was able to get the virtualbox-bin AUR package (Oracle's binary release) to work correctly with vboxmanage encryptmedia as well as in the GUI, though that does mean I have to use DKMS now. Since the machine encryption is part of Oracle's extension pack, I wonder if the compatibility with the OSS builds is intentionally limited in some way, or at least not officially supported... I would definitely still prefer to use the native builds. I may just switch to LUKS when I need encryption so I'm not relying on Oracle's extension pack.

Last edited by alanaktion (2019-03-14 21:14:30)

Offline

#3 2019-03-14 22:30:56

aever32
Member
Registered: 2019-03-14
Posts: 1

Re: OpenSSL update broke VirtualBox disk encryption

I confirm, I have a similar problem. Today it was necessary to encrypt the disk and oops ...

Offline

#4 2019-03-15 11:57:27

hschletz
Member
Registered: 2019-03-06
Posts: 2

Re: OpenSSL update broke VirtualBox disk encryption

@alanaktion: The binaries from Oracle seem to have no external dependency on OpenSSL. Looks like it's either statically linked or otherwise bundled, which would explain why they work despite the new system-wide OpenSSL libraries. I'm not aware of any intentional restrictions on the OSE version.

Offline

Board footer

Powered by FluxBB