Actually what you talking about seems to be more of a True Crypt usage precaution rather than concern of how Vmware itself operates – something which I was concerned about.

According to this True Crypt document, pagefiling can be easily disabled for a time of operation:

http://www.truecrypt.org/docs/

Thanks for comment! Merry Xpmas MtMan!

Replied to wrong post - disregard!

Thanks for info continuum! Do I understand you correctly – are those ALL leakage concerns (of VM and guest OS) - or could there be more? I do understand that talking in absolute terms might be difficult and risky. I sort of guessing that guest OS can’t be leaking, because it seems that containment is required to achieve true sandbox – true separation between guest and host OS – am I correct?

Besides it is also something which True Crypt documentation itself seems to imply indirectly (if I understand it correctly):

Quote (very last FAQ from following page: http://www.truecrypt.org/faq.php 😞

“Q: Can TrueCrypt encrypt a Windows boot partition?

A: Yes, but not directly. TrueCrypt can encrypt (on-the-fly) a disk image containing an installed operating system that you run (boot) under virtual-machine software, such as Virtual PC, VirtualBox, or VMware (VirtualBox OSE is free and open-source; Virtual PC and some editions of VMware are free).

Tip: That way, you can have Windows installed in a hidden volume. (http://www.truecrypt.org/docs/)“

As mentioned before, originally what I was trying to do is to install entire VMware on encrypted drive, however since there seems to be no any easy way to auto decrypt volumes in True Crypt during reboot (something what VMware installation requires) I scratched idea:

http://12078.net/grcnews/article.php?group=grc.techtalk&id=200311

What I am still fooling myself with is yet another possibility – this is relatively complicated therefore whoever reads it – well, …buckle up!

What I trying to achieve is situation where I can operate entire VMware (as oppose to just Virtual Machine) from drive encrypted with True Crypt. Let me explain!

Let’s imagine:

1) OS is installed on one drive (let say C) and it DOES have installed Vmware.

2) another copy of same OS is installed on different dive and let say 2nd drive is divided into two partitions: say D and E. Let say D contains OS, DOES NOT have VMware installed, however it does have True Crypt and some back up software (Devine Snap Shot – for instance), while E is empty.

3) While booting from D, True Crypt encrypts entire E and maps it as F.

4) Still running OS from D, Divine Snap Shot creates back up image of C and saves it to F

5) Let say C is formatted, securely wiped and is now empty

6) While booted from D, Snap Shot uses back up image (note: entire image is now on encrypted drive) and using its feature maps another drive (Z) from image file. YES Snap Shot allows this: http://www.drivesnapshot.de/en/view1.htm (note: buttons on picture from link can be clicked).

7) While going to Z with Windows Explorer VMware is started and used.

Concerns:

1) Even data can be saved to Z, unless another image is made from Z before it is unmapped (Snap Shot doesn’t allow this (even it allows it’s multiply instances to be run), still perhaps some other back up software would, after all now it is just another drive letter - ?), any data alteration done to Z will not be saved. Should you let’s imaging save text file to drive Z, it is possible to open delete and edit is as long as Z is mapped. Once Z is unmapped, next time C image will be mapped again, text file will not be present in its folder. Should you (be able hopefully - ?) create back up image of Z before closing it, new image will have text file.

2)Even VMware is started from C, host OS is ran in fact from D. Since I understand that in order for VMware to run it has to install deep into OS (its virtual drives, virtual NICs etc etc) – it seems quite puzzling how it would behave (assuming it would even run).

LOL,… OK! I think I complicated this enough to give anybody headache!

Anyway I wonder what community opinion is. Would this work? Would encryption crate containment beyond which no any usage leakage would be possible at all?

If you think about it,… should this really work, True Crypt in fact would not only provide encryption for ENTIRE OS which can be run (guest OS on VMware), but CREATE DENIABILITY IT EVEN EXISTS:

http://www.truecrypt.org/docs/

Doesn’t this just sound as cool idea? 😛

Comments?

Merry Christams continuum! Merry Christams everybody!

Hi - sorry - I don't understand the disk-dance you tried to explain

Anyway - maybe I can give you a different view ...

I guess your purpose is to have a computer with only truecrypted disks - no disk unencrypted. Furthermore you want to be able to deny existance of any further existing truecrypt-containers in a case where you have been forced to reveal the password for the first container.

In short - if someone steals your notebook the thief shouldn't even find the hidden VMs - even if he was able to look into the first container ...

Well - thats possible. The idea is not to use a hard-disk based system to run those hidden VMs. If you want you can use a LiveCD-based system that runs VMware and Truecrypt.

Look at my site - I made an installer for a 2k3-based LiveCD which has Workstation 6 and Truecrypt integrated.

You can then first create a fully encrypted disk - and later define more containers inside that disk - these "second level containers" can then contain whatever guests you want.

To find out about the existance of this hidden VMs someone has to find your computer with the LiveCD - then he has to bruteforce the truecrypt-password - or torture you - and then you can still say there is nothing more ...

Rob - some guys already use this to protect notebooks with sensitive data - so you can use a tested approach if you want.

I should mention that you will need a system with at least 512 MB RAM - better more ...

On notebooks with 1Gb RAM or more the LiveCD loads completely into RAM so you will get good performance ...

Ulli

Thanks for reply continuum!

To explain previous idea, it really all come down to SnapSot’s ability to map drives using image files. After image of bootable drive is created, SnapShot allows mapping its context (using nothing but image) to some letter in My Computer, than browse it just as any data files with Windows Explorer. My hope was that while booted from partition which doesn’t even have VMware installed, I will be able to map partition (with Vmware installed) using its image, than by going to Program Files and VMware folder start VMware by clicking its executable. It appears VMware won’t even start this way – so the question becomes really academic.

Your suggestions sound very interesting. That indeed would hide very fact that VMware is even used. Frankly I was hoping for a way of achieving same without necessity of rebooting. From practical stand point, I usually run number of apps on my host OS, starting (or intending to start to be precise) VMware only to provide protection from infection or network penetration, doing tests etc. Rebooting, even perfect from invisibility stand point, sounds bit impractical.

I am not that much trying to prevent scenario of stolen laptop (frankly I’m not there yet and for this, using some open source, cryptographically tight program which encrypt entire disk seems preferable), but rather to cover scenario when laptop is stolen (or tempered with) while left running unattended. Even not exactly healthy for VMware, TrueCrypt allows dismounting all drives with single click, should there be a need for leaving system running, in hurry, unattended.

Very reason for starting thread was really deriving from dilemma how to create and use OS which is totally invisible. Even encrypting virtual machines is quite strong already, I felt that hiding its very existence (or even fact that VMware is used at all) is principally stronger. Well..,LOL,… its not really as I have real life need for seeking NSA-proof methods,… or looking for deniability for that matter 😛 – however it just sounds fascinating should such thing be possible.

Just me being geek!

Thanks for comments and very interesting recourses!

PS.

For anybody reading this post - Happy New Year!

Very special Happy New Year for continuum!

Why don't you simply install VMware into a truecrypt-container itself ?

This needs a batch to bring up the services later on but it can be done

I just don’t know how to do it.

I received some suggestions about doing same on GRC forum, but not detailed information how to:

http://12078.net/grcnews/article.php?group=grc.techtalk&id=200311

As stated in first lines of thread:

1) VMware requires rebooting during installation

2) True Crypt does not have (contrary to some statements suggesting otherwise) any build in feature which would allow either auto mount encrypted volumes without password or ask for password before system is fully started.

Tried installing - receiving errors referring to “have you reboot VMware during installation” whenever I try to start VM.

Point 1: ignore it

procedure in short:

1. create truecrypt-container

2. mount it to lets say Q:

3. install VMware to Q:\vmware

4. after install do not reboot - go to registry and set all vmware-related services to start manually - write batch to start them manually instead.

5.reboot

If you then want to start VMware - mount your truecrypt-container - run batch

1) Writing batch would be a problem. I don’t know how.

2) What would be all VMware related services? How would I find them? I’m guessing that going to Administrative tools >> services would probably be easier than changing registry.

to 2. - easier ? - yes but useless

to 1. - I know how to.

What was the build version you installed ? - which language do you use ?

6.02 build 59824 language - English

Fine - thats the same I have

How shall we proceed ?

I need the exact installation path - so I would suggest you create a container, mount it and install VMware and don't reboot.

Then I need the details to write that batch - best would be if you send an export of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services to me via mail.

My mail is visibleif youvisit my site

Then I 'll post the batch here

Windows Registry Editor Version 5.00

"Start"=dword:00000003

"Start"=dword:00000003

"Start"=dword:00000003

"Start"=dword:00000003

"Start"=dword:00000003

"Start"=dword:00000003

"Start"=dword:00000003

"Start"=dword:00000003

"Start"=dword:00000003

"Start"=dword:00000003

"Start"=dword:00000003

"Start"=dword:00000003

"Start"=dword:00000003

copy this into a textfile - call it disable-autostart.reg and apply it - it disable automatic start of vmware services.

Damn -X-( I hate this forum software :smileyangry:

Thanks a lot Ulli!

Continuum wrote:

Damn -X-( I hate this forum software

LOL same feelings!

Well, I really hate bothering people more than I have too, so probably reasonable thing to do will be wait till a have my final OS set and running, than bother you again with questions 😛

Note: To anyone reading this post, I have mentioned to continuum in private e-mail that OS which I use now is only temporary install and he replied that new OS would require everything written again from scratch.

I still have numbers of things which I have to do before I’m ready migrate my stuff to new PC, including scanning 8 hard drives for malwares and rootkits and some new software testing.

Anyway, both proposed by continuum options are as close to perfect as I think anyone was able to produce (including down to bottom details) - posted question here and on GRC forum.

On private note: even I’m sure there are many knowledgeable people here, I always thought it is big plus to on new forum to recognize names which are worth listening to.

Thanks a lot! :smileygrin:

Rob - I looked at the patch again - there is nothing specific in it.

You should be able to use it on changing hosts.

Woo hoo! That’s sounds kool!

Still little things to be clarified – following this instruction:

1. create truecrypt-container

2. mount it to lets say Q:

3. install VMware to Q:\vmware

4. after install do not reboot - go to registry and set all vmware-related services to start manually - write batch to start them manually instead.

5.reboot

If you then want to start VMware - mount your truecrypt-container - run batch

1) How do I disable services in registry? It seems I already have a list – are those command prompts I need to enter or how I do it?

Starting the services goes like this:

net start vmx86

net start VMAuthdService

net start VMnetuserif

net start VMnetAdapter

net start VMnetBridge

net start hcmon

net start vmusb

optional services are :

net start "VMware NAT Service"

net start VMnetDHCP

net start vmount2

net start vstor2

net start vstor2-ws60

net start vmkbd

2) To enable services back I need to download file from your post disableservice.reg and import it manually to registry (regedit) correct?

3) Since I need this whole thing only for install (I think) VMware I wonder would it be OK if I go after everything is installed to Administrative tools >> services and enabled all services back to automatic?

4) Since I will have to uninstall my current VMware I assume I can save already created Virtual machines and use them with new install – correct?