[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] Can I mount encrypt qcow2?
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] Can I mount encrypt qcow2? |
Date: |
Thu, 20 Jul 2017 10:12:24 +0100 |
User-agent: |
Mutt/1.8.3 (2017-05-23) |
On Thu, Jul 20, 2017 at 05:07:49PM +0800, 陳培泓 wrote:
> oh~ I don't know can expose the LUKS encryption. I'm sure the older(AES)
> can't be mounted by qemu-nbd.
It can be mounted, with current git master (all the commands I show
below are for git master btw).
You should, however, *never* use the old AES format any more. It is
broken by design and not considered secure.
> If I encrypt by the command you recommended:
>
> > qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
> > --image-opts driver=qcow2,file.filename=
> > demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
This *is* exposing the encrypted file - not creating it. If you
want to connect to a host nbd device then you use the command
above, with the -c arg
$ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
-c /dev/nbd0 \
--image-opts
driver=qcow2,file.filename=demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
If you have a legacy AES qcow2 file the syntax is very similar
$ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
-c /dev/nbd0 \
--image-opts
driver=qcow2,file.filename=demo.qcow2,encrypt.format=aes,encrypt.key-secret=sec0
Note we just changed the encrypt.format parameter there.
To actually create an encrypted file in the first place you need the
qemu-img command
$ qemu-img create --object secret,id=sec0,file=passwd.txt,format=raw \
-f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 \
demo.qcow2 1G
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-devel] Can I mount encrypt qcow2?, 陳培泓, 2017/07/19
- Re: [Qemu-devel] Can I mount encrypt qcow2?, Daniel P. Berrange, 2017/07/20
- Re: [Qemu-devel] Can I mount encrypt qcow2?, 陳培泓, 2017/07/20
- Re: [Qemu-devel] Can I mount encrypt qcow2?,
Daniel P. Berrange <=
- Re: [Qemu-devel] Can I mount encrypt qcow2?, 陳培泓, 2017/07/20
- Re: [Qemu-devel] Can I mount encrypt qcow2?, Daniel P. Berrange, 2017/07/21
- Re: [Qemu-devel] Can I mount encrypt qcow2?, 陳培泓, 2017/07/21
- Re: [Qemu-devel] Can I mount encrypt qcow2?, Daniel P. Berrange, 2017/07/21
- Re: [Qemu-devel] Can I mount encrypt qcow2?, 陳培泓, 2017/07/21
- Re: [Qemu-devel] Can I mount encrypt qcow2?, Eric Blake, 2017/07/21
- Re: [Qemu-devel] Can I mount encrypt qcow2?, Eric Blake, 2017/07/21
- Re: [Qemu-devel] Can I mount encrypt qcow2?, Daniel P. Berrange, 2017/07/21
- Re: [Qemu-devel] Can I mount encrypt qcow2?, Eric Blake, 2017/07/21
- Re: [Qemu-devel] Can I mount encrypt qcow2?, 陳培泓, 2017/07/23