I have here an encrypted Workstation 9.0 virtual machine with a pre-allocated virtual hard disk, which I can no longer access, because the disk descriptor file has gone missing (I do know the password, made out of 24 seemingly random characters one can type with any Roman character keyboard, just for good measure).
The format of the disk descriptor file, it's contents and possible recovery avenues for plain (unencrypted) virtual machines are well documented, but I cannot find anything about encrypted VMs except for the incredibly vague information that it uses the Rijndael cipher (AES), that virtual machines can be encrypted and that they are encrypted by default.
If I create a new disk for that VM, same size of 68719476736 bytes, and everything as described one should try, if the disk descriptor file is lost and cannot be restored from a backup (which in my case had not been created, yet), I cannot access the contents of the disk, much less boot the VM.
Analyzing the newly created (and encrypted) disk descriptor file, I found that it looked like this:
I can see from this, that a HMAC-SHA1 method is used and the results base64 encoded, but I cannot determine easily how this is applied, and to what. Most crucially, it is not obvious to me how the encryption keys are derived that are used for the actual encrypting of the disk data, or how one could create a matching disk descriptor file.
If anyone knows how I can regain access to this disk, short of breaking the Rijndael cipher, provided one has the password used to encrypt the virtual machine, this would be great as I would really like to regain access to the disk and some of the data stored on it that I did not have a chance to copy elsewhere. However, I would also like to know in greater detail how VMware encrypts virtual machines and how the encrypted file formats are structured, so I can perform forensic and recovery tasks more easily in the future.