[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-block] [PATCH RFC 0/2] Limit support for encrypted images to q

From: Paolo Bonzini
Subject: Re: [Qemu-block] [PATCH RFC 0/2] Limit support for encrypted images to qemu-img
Date: Thu, 12 Mar 2015 17:58:23 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0

On 10/03/2015 19:13, Daniel P. Berrange wrote:
> FWIW, I could see an improved interaction scheme working as follows
> First, introduce a new monitor command for setting named passwords,
>     add_key mykey1 SECRETDATA

Or reuse object_add:

    object_add secret,id=mykey1,secret=SECRETDATA

> Now, extend the blockdev_add so that you can provide key names
> by adding
>     'keyname': 'mykey1'
> as a parameter in the json args.

You can also add a command line option:

   -secret id=mykey1,secret=SECRETDATA

or possibly:

   -object secret,id=mykey1,secret=SECRETDATA

> For cold plug, have a command line arg '--add-keys prompt' to
> indicate the user should be prompted on TTY to enter keys,

This can even be the default if you have a human monitor open.
(Downside: the default human monitor, accessible with Ctrl-Alt-2, is not
easily discovered; same for Ctrl-A c for -nographic).

> For managed usage we could allow
> '--add-keys fd=FDNUM' and just read keys from the file descriptor.

For managed usage, options can also be passed via -readconfig like

   [object "mykey1"]


reply via email to

[Prev in Thread] Current Thread [Next in Thread]