diff options
Diffstat (limited to 'doc/manual/en_US/dita/topics/diskencryption-limitations.dita')
-rw-r--r-- | doc/manual/en_US/dita/topics/diskencryption-limitations.dita | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/doc/manual/en_US/dita/topics/diskencryption-limitations.dita b/doc/manual/en_US/dita/topics/diskencryption-limitations.dita new file mode 100644 index 00000000000..a3cd442e55b --- /dev/null +++ b/doc/manual/en_US/dita/topics/diskencryption-limitations.dita @@ -0,0 +1,73 @@ +<?xml version='1.0' encoding='UTF-8'?> +<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd"> +<topic xml:lang="en-us" id="diskencryption-limitations"> + <title>Limitations of Disk Encryption</title> + + <body> + <p> + There are some limitations the user needs to be aware of when + using this feature: + </p> + <ul> + <li> + <p> + This feature is part of the Oracle VM VirtualBox Extension Pack, + which needs to be installed. Otherwise disk encryption is + unavailable. + </p> + </li> + <li> + <p> + Since encryption works only on the stored user data, it is + currently not possible to check for metadata integrity of + the disk image. Attackers might destroy data by removing or + changing blocks of data in the image or change metadata + items such as the disk size. + </p> + </li> + <li> + <p> + Exporting appliances which contain encrypted disk images is + not possible because the OVF specification does not support + this. All images are therefore decrypted during export. + </p> + </li> + <li> + <p> + The DEK is kept in memory while the VM is running to be able + to decrypt data read and encrypt data written by the guest. + While this should be obvious the user needs to be aware of + this because an attacker might be able to extract the key on + a compromised host and decrypt the data. + </p> + </li> + <li> + <p> + When encrypting or decrypting the images, the password is + passed in clear text using the Oracle VM VirtualBox API. This + needs to be kept in mind, especially when using third party + API clients which make use of the webservice where the + password might be transmitted over the network. The use of + HTTPS is mandatory in such a case. + </p> + </li> + <li> + <p> + Encrypting images with differencing images is only possible + if there are no snapshots or a linear chain of snapshots. + This limitation may be addressed in a future Oracle VM VirtualBox + version. + </p> + </li> + <li> + <p> + The disk encryption feature can protect the content of the + disks configured for a VM only. It does not cover any other + data related to a VM, including saved state or the + configuration file itself. + </p> + </li> + </ul> + </body> + +</topic> |