Re: Using LUKS format to connect to an encrypted iscsi volume with libiscsi

[Jakob Bohm]

On 2021-10-06 20:52, Will Gorman wrote:
> I'm attempting to use qemu-kvm (qemu-kvm-ev-2.12.0-44.1.el7_8.1) to 
> run a VM that will be able to use an iscsi volume that has been 
> encrypted with LUKS.  Below are the qemu command line arguments 
> related to this volume:
>
> -object secret,id=scsi1-0-0-1-luks-secret0,file=/root/qemuluks.key \
> -drive 
> file.driver=iscsi,file.portal=$TARGET_IP:3260,file.target=$TARGET_IQN,file.lun=0,file.transport=tcp,file.initiator-name=iqn.1994-05.com.redhat:host1,key-secret=sec0,format=luks,if=none,id=drive-scsi1-0-0-1 
> \
> -device 
> scsi-block,bus=scsi1.0,channel=0,scsi-id=0,lun=1,drive=drive-scsi1-0-0-1,id=scsi1-0-0-1 
> \
I think (from the horribly incomplete documentation) that the built-in 
qemu LUKS encryption is ONLY for qcow2 disk image files, not for any 
kind of "raw" disk, even if remote over iSCSI.
> When running the VM with qemu-kvm, I get the following error:
>
> 2021-09-22T20:26:04.975007Z qemu-kvm: -device 
> scsi-block,bus=scsi1.0,channel=0,scsi-id=0,lun=1,drive=drive-scsi1-0-0-1,id=scsi1-0-0-1: 
> cannot get SG_IO version number: Operation not supported
> Is this a SCSI device?
>
> I think that it is at least using the key since if I intentionally 
> provide an incorrect value for the key I get a different error about 
> "Invalid password, cannot unlock any keyslot" but it gets further with 
> the correct key.  Is it supported to use LUKS with the iscsi driver 
> and libiscsi?  If so, are there any other configuration options I 
> should be considering?
Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded