qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] qemu-img create encryption


From: Hamilton, Peter A.
Subject: Re: [Qemu-devel] qemu-img create encryption
Date: Thu, 27 Jun 2013 08:05:38 -0400

> It also means you can't change the password of an existing image - you have 
> to create a new image with a new password & re-encrypt the data.

Following up on this point, since "qemu-img create" cannot be used to specify 
a password, is "qemu-img convert" the only command that can be used to provide 
one? Furthermore, since "convert" conducts a full copy of the source image, 
does this mean that it is not possible to have an encrypted CoW image with an 
encrypted backing file, where each is encrypted with a different password? The 
tests I have conducted up to this point seem to indicate that this is true.

Thanks,
Peter



-----Original Message-----
From: Daniel P. Berrange [mailto:address@hidden
Sent: Thursday, June 27, 2013 5:36 AM
To: Hamilton, Peter A.
Cc: address@hidden
Subject: Re: [Qemu-devel] qemu-img create encryption

On Wed, Jun 26, 2013 at 02:52:51PM -0400, Hamilton, Peter A. wrote:
> I've been doing some work with qemu-img and encrypted qcow2 images and
> have noticed that "qemu-img create" does not prompt for a password to
> encrypt new images, defaulting (from the documentation I've read) to
> the empty string as a password. Why does "qemu-img create" work this way?
>
> I haven't been able to find any good, authoritative sources on this
> topic, so if anyone knows of good documentation or rationale, please let me 
> know.

The qcow2 encryption format is very simple. The password you provide is 
directly used to encrypt the data blocks. There is level on indirection as you 
have with, say LUKS, whereby the user password is used to encrypt a separate 
key in the file header. As such there is no need for the qcow2 encryption key 
to be known when creating a file, only when reading/writing data blocks.

Using the password directly as the encryption key makes the qcow2 data 
encryption very vulnerable to weak passwords. It also means you can't change 
the password of an existing image - you have to create a new image with a new 
password & re-encrypt the data. LUKS is a much stronger crypto design that 
qcow2's built-in encryption. I'd like to see qemu gain a block driver that 
could natively support the LUKS data format as a strong replacement for 
qcow2's encryption approach, but there's no work in this area.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

Attachment: smime.p7s
Description: S/MIME cryptographic signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]