Fusion

 View Only
Expand all | Collapse all

VM encrypted itself, don't know the password

  • 1.  VM encrypted itself, don't know the password

    Posted Oct 28, 2021 10:09 AM

    Back when Windows 11 was released I tried to encrypt my Windows 10 VM so I could add the TPM, but it failed. Since then I've been running Windows 10, but decided to try the new managedVM.autoAddVTPM = "software" flag when Fusion 12.2.0 was released. It worked and the Windows 11 upgrade tool now only complains about my i7-7700K being unsupported.

    Today however when I started Fusion, I got a dialog saying something along the lines of "Encrypting VM" and there was a progress bar. Now I find my Windows 10 VM to be encrypted, and I don't have the password. The password I used when trying to set up encryption before when it failed does not work. Empty password does not work.

    I'm not sure what to do now. If I can't remove the encryption from this VM I'm risking losing access to this windows license in the future, and if I restore from a backup of this VM it's going to be old and not have the latest software. The backup is also pre EFI conversion. Is there any way to remove the encryption? It never asks for a password (so far).



  • 2.  RE: VM encrypted itself, don't know the password

    Posted Oct 28, 2021 10:43 AM

    You mention Fusion =>  Have you checked the Apple Keychain for passwords?

    See also https://kb.vmware.com/s/article/67634

     



  • 3.  RE: VM encrypted itself, don't know the password

    Posted Oct 28, 2021 10:47 AM

    I have. There are two passwords stored in there, none of them work for this one.

    And since it just encrypted itself out of the blue I never got to provide one either.



  • 4.  RE: VM encrypted itself, don't know the password
    Best Answer

    Posted Oct 28, 2021 11:52 AM

    Hi,

    The popup with "Encrypting VM" is ... weird to say the least.
    Was it quick or did it take a while to complete?

    If it was fast, then there's a fair chance that it didn't actually encrypt the disks contents.
    You can also verify that by checking the actual size of the virtual disk. A fully encrypted VM's disk would be at least the same size as what you set it at. Eg. if your VM has a 60GB virtual disk then it's size would be 60GB as all the data is encrypted, including the empty space.

    If it's smaller, then check my article explaining more details about the experimental vTPM feature.

    https://www.vimalin.com/blog/what-you-should-know-about-vmwares-experimental-vtpm/

    It normally is possible to undo the feature, but it requires more than removing a few lines from the vmx itself.

    Hope this helps,
    --
    Wil



  • 5.  RE: VM encrypted itself, don't know the password

    Posted Oct 28, 2021 06:43 PM

    Hi,

    It was quick. Less than 20 seconds.

    The disks are not taking up the whole assigned space, so they aren't fully encrypted.

    The vTPM article explains it then, but it doesn't explain why this happened severals days after adding the vTPM line to the vmx file. I had rebooted and shut down the VM several times since, but all of a sudden today it did the encryption.

    Thanks for the link to the article, now I know what I have to pay attention to going forward



  • 6.  RE: VM encrypted itself, don't know the password

    Posted Oct 28, 2021 08:39 PM

    Very nice article, thank you!

    What was VMware thinking to encrypt stuff with a password and then hiding the password from the user.  I think this feature escaped the lab a little too soon.



  • 7.  RE: VM encrypted itself, don't know the password

    Posted Oct 31, 2023 11:30 PM

    Not sure why this solution did not pop up here but I just did the following:

    1. Created a new custom virtual machine
    2. Choose Windows 11 64-bit Arm
    3. Leave UEFI Secure Boot unchecked
    4. Auto-generate the password and save in keychain
    5. Select Use an existing virtual disk
    6. Find the useless encrypted VM (for which no password exists); then select Virtual Disk.vmdk
    7. Choose Make a copy of the virtual disk

    After the copying process the new VM started up right away and worked as expected from the previous stored state.



  • 8.  RE: VM encrypted itself, don't know the password

    Posted Dec 15, 2023 01:14 AM

    It appears Virtual Disk.vmdk and all other files are greyed out... any suggestions?



  • 9.  RE: VM encrypted itself, don't know the password

    Posted Sep 17, 2024 12:10 PM

    This absolutely worked for me.  I upgraded my Mac from macOS 14 to 15, which introduced the new "Passwords" app, but it failed to keep the keychain password for VMWare.  Bravo.




  • 10.  RE: VM encrypted itself, don't know the password

    Posted Sep 18, 2024 11:37 AM

    Update: For macOS users who upgraded to Sequoia, the legacy "Keychain" app is still available, and contains content that the new Passwords app does not.  For example, I found my old VMWare encryption password there, but it never appeared in Passwords.

    You can find and run the legacy Keychain app from here:

    /System/Library/CoreServices/Applications/Keychain Access.app

    This may save some headaches for Mac users presented with the "encrypted" image that's looking for a password. 




  • 11.  RE: VM encrypted itself, don't know the password

    Posted Sep 18, 2024 12:22 PM

    If the VM's password was saved by Fusion in the Keychain, it can still find it there when running on Sequoia and not ask you for it to unlock the VM. I've found that none of my encrypted VM that have had their passwords saved by Fusion have asked for a password on power on. I upgraded in-place from Sonoma to Sequoia, so none of my VMs were moved. If you have an encrypted VM that's asking you for a password when you told Fusion to save it, then you probably have another problem. 

    The new Passwords app does not show everything stored in the Keychain. Fusion saved passwords are one of them. As noted, you still need to use Keychain Access to find those items. 



    ------------------------------
    - Paul (technogeezer)
    ------------------------------



  • 12.  RE: VM encrypted itself, don't know the password

    Posted Nov 21, 2024 01:31 PM

    Thank you for this. 

    I was trying to move my WIN11 VM to an external disk and got the popup password request and discovered Password app didn't have it but old Keychain sure did.

    Again, thank you.




  • 13.  RE: VM encrypted itself, don't know the password

    Posted Jan 10, 2025 01:20 PM

    Oh My... I knew the original Keychain was still there, but didn't even think about checking there.  It solved my issue.  Thanks for the heads-up / reminder!




  • 14.  RE: VM encrypted itself, don't know the password

    Posted Nov 13, 2024 05:32 PM

    @jamiljonna - THANK YOU.  It's a year later, and this still works.  I remember, in the past, being prompted to update the encryption on VM (Win11 with TPM), and I simply clicked through and let Fusion do its thing.  Fast forward to this week, and for several reasons, I had to rebuild my Mac and restore from a recent backup.  For some reason, which I suspect was the encryption upgrade, there was no keychain password for my VM.  I followed the steps you documented and all is well.




  • 15.  RE: VM encrypted itself, don't know the password

    Posted Jan 29, 2022 09:55 PM

    I've just encountered the same problem. immediately after adding the line:

    managedVM.autoAddVTPM = "software" 

    and booting the machine the hard drive got encrypted. I was never prompted to set a password so of course, I don't know the password.

    However my machine still boots without asking for encryption password, so I can still use it so far but I can't export it to ovf template and I think I can't copy it either.

    Very weird scenario. VMWARE should check this out ASAP since more and more users are losing their data.

     



  • 16.  RE: VM encrypted itself, don't know the password

    Posted Mar 29, 2022 04:00 AM

    Same here... was never prompted for a password for encrypted VM, worked fine for months, just today, prompted for password.



  • 17.  RE: VM encrypted itself, don't know the password

    Posted Mar 29, 2022 10:30 AM

    different issue (next time please create your own thread)

    You used the Autoaddvtpm experimental feature. Sorry it is me who is confused.. similar subject as another thread.

     

    If I had to guess then you moved your VM and now it won't work anymore (moving it back to the original location might work). But that's just a guess.

    See this thread: https://communities.vmware.com/t5/VMware-Workstation-Pro/How-to-remove-managedvm-autoAddVTPM-quot-software-quot-after/td-p/2872592/jump-to/first-unread-message for tips on recovery.

    --
    Wil



  • 18.  RE: VM encrypted itself, don't know the password

    Posted Mar 29, 2022 05:18 PM

    Actually I did NOT move the VM.  After I got your comment, I tested the scenario you suggested.  And yes, that ALSO generated the password prompt.  Fortunately, the VM in question I did not need to keep, it was used for testing, so it was easier to delete and recreate.

    As for hijacking the thread, I did not think I was doing that, not my intention, but I see your point.

    -Jnk



  • 19.  RE: VM encrypted itself, don't know the password

    Posted Sep 22, 2023 04:38 PM

    Okay I must be missing where/how to resolve this issue. 
    Looks like this started over a year ago, however, I've not see a fix that actually resolves the issue.
    Had to restore system last month and went to Windows 11, had issue with VM not running my Windows 8 & 10 VM's.
    Added {  managedVM.autoAddVTPM = "software"  } then VMWare encrypted the VM.

    So would someone please kind enough to point me to the solution?

    Thanks in advance.



  • 20.  RE: VM encrypted itself, don't know the password

    Posted Sep 22, 2023 04:46 PM

    Hi,

    I've written out the steps here: https://www.reddit.com/r/vmware/comments/qy9wns/comment/hmokzl7/
    Let me quote myself from one of my replies...

    The steps are basically:

    • Create a new VM with a virtual disk of the same size as the encrypted one, make sure it has the same name.
    • use the new descriptor file ('MK Win Desktop.vmdk')

    • use the old vmdk data files ('MK Win Desktop-s001.vmdk' (001 to 016)

    • use the old .vmx file, but remove the lines that start with:

      managedVM.autoAddVTPM

      managedVM.ID

      encryption.encryptedKey

      encryption.keySafe

      encryption.data

    If there's no snapshots then you don't need .vmsd (don't copy it in the new vm, delete if there)

    Normally also no need for .nvram and .vmxf

    That should be all.

    As this is one of those type of answers where it is important to get all the details correct, I've just thrown it in a wiki article.
    See here: https://wiki.vi-toolkit.com/index.php?title=Fixing_a_VM_that_had_AutoAddVTPM_set

    I will update that with whatever detail is still missing.

    --
    Wil



  • 21.  RE: VM encrypted itself, don't know the password

    Posted Sep 26, 2023 02:42 AM

    If you are using VMware 16, here is the solution:

    https://www.syvik.com/multidesk/howto.win11.vmware16.en.html

     



  • 22.  RE: VM encrypted itself, don't know the password

    Posted Sep 26, 2023 03:22 PM

    If it is this easy to gain access to an encrypted virtual machine using the "experimental" vTPM of Fusion 12 and Workstation 16, then it's a pretty clear message that the feature should not be used at all.

    Care to share details on how you did it?  Or, have you reported this to VMware as a security issue?



  • 23.  RE: VM encrypted itself, don't know the password

    Posted Sep 26, 2023 04:08 PM

    I think VMware is aware of this.

    It has been fixed in Workstation 17.

    You will be prompted to create a password instead of generating a random password.



  • 24.  RE: VM encrypted itself, don't know the password

    Posted Mar 29, 2022 08:43 PM

    My solution was eventually to restore the VM from a backup from before the encryption, clone the disk of the encrypted one using Macrium Reflect, and then restore it to the new unencrypted VM.

    I never figured out the encryption password, but as long as the login keychain was unlocked it would boot. If it was not, it would ask for a password. The password was not in the keychain, at least not under any name showing up under vmware, fusion or the name of the VM. There is however a fusion encryption key in there, but no password that can be used to decrypt as far as I can tell.



  • 25.  RE: VM encrypted itself, don't know the password

    Posted Mar 29, 2022 10:53 PM

    Same, the real question is why the password prompt when a password is never requested the the point of VM creation/encryption.  The logic of the issue is what is the concern, not the result or recovery.  Clearly having a known good backup, that is accessible (i.e. not encrypted) is key.  But, for enterprise sites where vCenter/ESXi/vSphere is used, the issue should not be as significant.  Transport of VMs, even VMDKs is not an expectation for enterprise sites per se as a one off, outside of VMotion or area storage replication, IMHO.  But where VM Workstation should have that expectation to a limited degree, meaning there is always the possible need to have an transportable VM, say a Live Linux distro for example.  But why you would need explicit encryption for that is a different story. 

    The risk is that VMDKs, if not the entire VM, can't be an easy move or copy, and if they are to be password protected after encryption I would expect VM Workstation to have a BRIGHT RED DIALOG WITH FLASHING GREEN LETTERS prompting the user for a password, no?  Ok, so red and green is over dramatic, but not nearly as dramatic as my favorite 'media' VM that has years of iTunes songs collected over 10 years, encrypted and lost due to a stealth password requirement.  Reminds me of the guy that has billions in bitcoin, forgot the password, and he only has like 2 attempts of 10 remaining to guess the password?  Or the bitcoins are lost forever!



  • 26.  RE: VM encrypted itself, don't know the password

    Posted Mar 30, 2022 01:40 PM

     wrote:

    Ok, so red and green is over dramatic, but not nearly as dramatic as my favorite 'media' VM that has years of iTunes songs collected over 10 years, encrypted and lost due to a stealth password requirement.  Reminds me of the guy that has billions in bitcoin, forgot the password, and he only has like 2 attempts of 10 remaining to guess the password?  Or the bitcoins are lost forever!


    And this, to me, is the primary reason against digital-only distribution of ANYTHING!  Give me my cassette tapes, LPs, CDs, CD-ROMs, VCR tapes, DVDs, etc.!  If I've bought music, movies, software, games, etc. then I want to retain the ability to use them!