qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Can I mount encrypt qcow2?


From: 陳培泓
Subject: Re: [Qemu-devel] Can I mount encrypt qcow2?
Date: Fri, 21 Jul 2017 09:44:33 +0800

I re-build qemu from the https://github.com/qemu/qemu, and it didn't show
any errors.

I tried the cmd you suggested below:

> qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
>            -c /dev/nbd0 \
>            --image-opts driver=qcow2,file.filename=
> demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0

but it shows unrecognized option '--object '
why?I missed to install something?

2017-07-20 17:12 GMT+08:00 Daniel P. Berrange <address@hidden>:

> On Thu, Jul 20, 2017 at 05:07:49PM +0800, 陳培泓 wrote:
> > oh~ I don't know can expose the LUKS encryption. I'm sure the older(AES)
> > can't be mounted by qemu-nbd.
>
> It can be mounted, with current git master (all the commands I show
> below are for git master btw).
>
> You should, however, *never* use the old AES format any more. It is
> broken by design and not considered secure.
>
> > If I encrypt by the command you recommended:
> >
> > > qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
> > >              --image-opts driver=qcow2,file.filename=
> > > demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
>
> This *is* exposing the encrypted file -  not creating it. If you
> want to connect to a host nbd device then you use the command
> above, with the -c arg
>
> $ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
>            -c /dev/nbd0 \
>            --image-opts driver=qcow2,file.filename=
> demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
>
>
> If you have a legacy AES qcow2 file the syntax is very similar
>
> $ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
>            -c /dev/nbd0 \
>            --image-opts driver=qcow2,file.filename=
> demo.qcow2,encrypt.format=aes,encrypt.key-secret=sec0
>
> Note we just changed the encrypt.format parameter there.
>
>
> To actually create an encrypted file in the first place you need the
> qemu-img command
>
> $ qemu-img create --object secret,id=sec0,file=passwd.txt,format=raw \
>            -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 \
>            demo.qcow2 1G
>
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>


reply via email to

[Prev in Thread] Current Thread [Next in Thread]