Re: [Qemu-devel] QCOW2 cryptography and secure key handling

[Daniel P. Berrange]

On Tue, Jul 23, 2013 at 02:47:06PM +0200, Benoît Canet wrote:
> 
> Hi,
> 
> I have some budget to improve QCOW2's cryptography.
> 
> My main concern is that the QCOW2 image crypto key is passed in clear text.

That is only a problem if someone can sniff the communications channel
used by the monitor socket between QEMU & the management application.
IOW, this is only a problem if someone has configured QEMU to listen on
a TCP / UDP socket for monitor traffic. If they had done this, it would
be considered an insecure configuration regardless of whether qcow2
encryption is used or not. So I don't think there's any problem which
needs solving from the POV of clear text keys over the monitor, besides
to document that you should configure QEMU such that its monitor is
only accessible to the app managing it. eg use a UNIX domain socket
for configuration.

> Do you (the block maintainers) have an idea on how the code could be improved
> to securely pass the crypto key to the QCOW2 code ?

More generally, QCow2's current encryption support is woefully inadequate
from a design POV. If we wanted better encryption built-in to QEMU it is
best to just deprecate the current encryption support and define a new
qcow2 extension based around something like the LUKS data format. Using
the LUKS data format precisely would be good from a data portability
POV, since then you can easily switch your images between LUKS encrypted
block device & qcow2-with-luks image file, without needing to re-encrypt
the data.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|