qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Can I mount encrypt qcow2?


From: Daniel P. Berrange
Subject: Re: [Qemu-devel] Can I mount encrypt qcow2?
Date: Thu, 20 Jul 2017 10:12:24 +0100
User-agent: Mutt/1.8.3 (2017-05-23)

On Thu, Jul 20, 2017 at 05:07:49PM +0800, 陳培泓 wrote:
> oh~ I don't know can expose the LUKS encryption. I'm sure the older(AES)
> can't be mounted by qemu-nbd.

It can be mounted, with current git master (all the commands I show
below are for git master btw).

You should, however, *never* use the old AES format any more. It is
broken by design and not considered secure.

> If I encrypt by the command you recommended:
> 
> > qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
> >              --image-opts driver=qcow2,file.filename=
> > demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0

This *is* exposing the encrypted file -  not creating it. If you
want to connect to a host nbd device then you use the command
above, with the -c arg

$ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
           -c /dev/nbd0 \
           --image-opts 
driver=qcow2,file.filename=demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0


If you have a legacy AES qcow2 file the syntax is very similar

$ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
           -c /dev/nbd0 \
           --image-opts 
driver=qcow2,file.filename=demo.qcow2,encrypt.format=aes,encrypt.key-secret=sec0

Note we just changed the encrypt.format parameter there.


To actually create an encrypted file in the first place you need the
qemu-img command

$ qemu-img create --object secret,id=sec0,file=passwd.txt,format=raw \
           -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 \
           demo.qcow2 1G
  

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|



reply via email to

[Prev in Thread] Current Thread [Next in Thread]