(How) can I use VirtualBox (linux guest) to unlock LUKS and EcryptFS on Windows 8 (host)?

Posted on

Problem :

I run Linux (Ubuntu 13.10 and Mint 16) most of the time both at work and at home. Occasionally I need to boot into Windows (I dualboot Windows 8 at home or Windows 7 at work).

In Windows, I’d like to be able to access my LUKS drives and unlock my EcryptFS directories (such as ‘encrypted home’* and a few custom ones).

(* the one on my physical Linux drive which I want to access from Windows, not the one on the guest OS.)

There is just no way to do the latter, and the former can only be done by hacking Windows by compromising the security settings in order to use an outdated tool called FreeOTFE who’s author is rumoured to be dead.

So I was wondering, since no one in the universe is porting this encryption functionality to Windows, is there a way I can let an open source virtual machine running Linux do the translation?

You can add shared folders using the VirtualBox dialog:
Add Shared Folder

and mount them in the Linux guest like so:

mkdir /mnt/mySharedFolder
mount -t vboxsf mySharedFolder /mnt/mySharedFolder

But this folder is physically located on the host. Can I share a folder that is physically located on the guest?

E.g. I have a folder ecryptfs on the (Windows) host. I share this with the (Linux) guest. Then I mount it as decrypted on another folder on the guest. And then I want to share this mounted (virtual/decrypted) folder back to the Windows host.

This way I could access my EcryptFS files on Windows.

Same question for LUKS. If would involve sharing an entire physical harddrive to the guest, and share the mounted decrypted folder back to the Windows host.

Solution :

Wow, I’m surprised nobody has answered this question yet.

I’ve done something similar to this when I was booted into Windows, but wanted to use a few Linux programs that wouldn’t work in cygwin. Converting this method to encrypted drive unlocking should be just as easy.

[DISCLAIMER] I am not a security expert, nor to I have experience on the subject beyond the average joe. I can’t promise that this method doesn’t compromise/undermine the security of the encryption. However, for what its worth, I would trust this method with my own safety and security.

(For the LUKS partition/disk)

On the host, you’ll set up virtualbox to forward to encrypted disk/partition to the guest.

Refrence the VBox documentation for a more detailed explanation.

To forward to partition/disk, make sure that windows can see the disk in the disk management or diskpart.

Open a command prompt and run the following.

C:> diskpart

Microsoft DiskPart version 6.1.7601
Copyright (C) 1999-2008 Microsoft Corporation.
On computer:

DISKPART> lis dis

 Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB  9692 GB
  Disk 1    Online         1910 MB   960 KB
  Disk 2    Online            8 GB      0 B        *

Let’s say disk 2 is your encrypted LUKS disk.

Now we’ll either reuse that command prompt by exiting diskpart with exit or just open a new one. (elevated aka as administrator)

C:> PUSHD "C:Program FilesOracleVirtualBox"
C:Program FilesOracleVirtualBox> VBoxManage.exe internalcommands createrawvmdk -filename C:VirtualDisksLUKS.vmdk -rawdisk \.PhysicalDrive2

For a partition of disk 2 add -partitions x,y,z (x,y,z being numbers of the partition you want to use.)

Now in the VM settings for the Linux vm, add the vmdk disk, set up networking as hostonly or birdged so you can access the VM over the network.

Boot a LiveCD or install your Linux flavor of choice. If you haven’t yet done this.

Once booted, the disk should appear in whichever disk utility/cli program you use. Decrypt and mount it as you would.

Now you can use any number of ways to access the data. I prefer sshfs or sftp because its easy and secure.

Once your guest is serving the data via the network, use the proper client on the host to get access.

For sshfs/sftp from windows, you can use Swish, Cygwin, or whatever you like.

(for the encrypted container located on the Windows host ntfs drive (assuming that is what you meant))

I would actually just move this data to an other disk/partition, and use the above method.

Or better yet, move it onto a VHD and attach it to the VM and use the above method.

Based on the example given: using a Windows HOST with a Linux GUEST, and the GUEST has the encrypted folder attached to it.

Q: Can the Windows HOST read the contents of the folder through the Linux GUEST … YES!!!

A: The easiest way is to set up and FTP/SFTP account in the Linux GUEST that allows the user to traverse that folder.


Here is an extended answer as I’m not sure where the LUX partition is hiding.

Your computer is configured as:

  • Dual BOOTs into Windows and Linux (1 OS at a time), or
  • Running Linux HOST with a Windows GUEST in Virtual Box, or
  • Running Windows HOST with a Linux GUEST in Virtual Box

In addition,

  • there is an encrypted folder on the hard drive you wish to share with the GUEST, or
  • one of the GUESTS’s vmdks are encrypted.


I’m working under the assumption that you have access to the box, no matter which OS is running, and can control VM sessions remotely.


Let’s assume that the GUEST’s vmdks is encrypted, and you wish to start it remotely, or headless. There are several ways to unlock the encrypted partition ..

  • DropBear and BusyBox
  • VirtualBox Remote Display RDP Ports
  • wget global server -> unlock key -> destroy key

If the it’s a shared encrypted folder, you will need the GUEST OS to boot and ask for the encryption key. You can do this either as the OS boots during Dracut, or manually mount the folder later.

However, you will need to tell VirtualBox where to find the folder, so that it looks like a drive to the GUEST OS.

While the folder could reside on either drives partition, I would recommend placing the shared folder on / in a seperate partition to avoid problems of OS’s tampering with each others boot sectors.


As for sharing the folder, the same answer above holds true. Create an FTP or Samba server to share the contents. FTP is much easier, as it comes with almost every Linux OS. Samba [aka File and Print Services] if the GUEST is Windows.

Leave a Reply

Your email address will not be published. Required fields are marked *