[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 1/8] Describe flaws in qcow/qcow2 encryption in the d
|
From: |
Stefan Hajnoczi |
|
Subject: |
[Qemu-devel] [PULL 1/8] Describe flaws in qcow/qcow2 encryption in the docs |
|
Date: |
Fri, 31 Jan 2014 22:19:42 +0100 |
From: "Daniel P. Berrange" <address@hidden>
The qemu-img.texi / qemu-doc.texi files currently describe the
qcow2/qcow2 encryption thus
"Encryption uses the AES format which is very secure (128 bit
keys). Use a long password (16 characters) to get maximum
protection."
While AES is indeed a strong encryption system, the way that
QCow/QCow2 use it results in a poor/weak encryption system.
Due to the use of predictable IVs, based on the sector number
extended to 128 bits, it is vulnerable to chosen plaintext
attacks which can reveal the existence of encrypted data.
The direct use of the user passphrase as the encryption key
also leads to an inability to change the passphrase of an
image. If passphrase is ever compromised the image data will
all be vulnerable, since it cannot be re-encrypted. The admin
has to clone the image files with a new passphrase and then
use a program like shred to secure erase all the old files.
Recommend against any use of QCow/QCow2 encryption, directing
users to dm-crypt / LUKS which can meet modern cryptography
best practices.
[Changed "Qcow" to "qcow" for consistency.
--Stefan]
Signed-off-by: Daniel P. Berrange <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
qemu-doc.texi | 23 ++++++++++++++++++++---
qemu-img.texi | 23 ++++++++++++++++++++---
2 files changed, 40 insertions(+), 6 deletions(-)
diff --git a/qemu-doc.texi b/qemu-doc.texi
index ce61f30..ad31f2d 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -547,10 +547,27 @@ File name of a base image (see @option{create} subcommand)
@item backing_fmt
Image format of the base image
@item encryption
-If this option is set to @code{on}, the image is encrypted.
+If this option is set to @code{on}, the image is encrypted with 128-bit
AES-CBC.
+
+The use of encryption in qcow and qcow2 images is considered to be flawed by
+modern cryptography standards, suffering from a number of design problems:
+
address@hidden @minus
address@hidden The AES-CBC cipher is used with predictable initialization
vectors based
+on the sector number. This makes it vulnerable to chosen plaintext attacks
+which can reveal the existence of encrypted data.
address@hidden The user passphrase is directly used as the encryption key. A
poorly
+chosen or short passphrase will compromise the security of the encryption.
address@hidden In the event of the passphrase being compromised there is no way
to
+change the passphrase to protect data in any qcow images. The files must
+be cloned, using a different encryption passphrase in the new file. The
+original file must then be securely erased using a program like shred,
+though even this is ineffective with many modern storage technologies.
address@hidden itemize
-Encryption uses the AES format which is very secure (128 bit keys). Use
-a long password (16 characters) to get maximum protection.
+Use of qcow / qcow2 encryption is thus strongly discouraged. Users are
+recommended to use an alternative encryption technology such as the
+Linux dm-crypt / LUKS system.
@item cluster_size
Changes the qcow2 cluster size (must be between 512 and 2M). Smaller cluster
diff --git a/qemu-img.texi b/qemu-img.texi
index 526d56a..f84590e 100644
--- a/qemu-img.texi
+++ b/qemu-img.texi
@@ -409,10 +409,27 @@ File name of a base image (see @option{create} subcommand)
@item backing_fmt
Image format of the base image
@item encryption
-If this option is set to @code{on}, the image is encrypted.
+If this option is set to @code{on}, the image is encrypted with 128-bit
AES-CBC.
-Encryption uses the AES format which is very secure (128 bit keys). Use
-a long password (16 characters) to get maximum protection.
+The use of encryption in qcow and qcow2 images is considered to be flawed by
+modern cryptography standards, suffering from a number of design problems:
+
address@hidden @minus
address@hidden The AES-CBC cipher is used with predictable initialization
vectors based
+on the sector number. This makes it vulnerable to chosen plaintext attacks
+which can reveal the existence of encrypted data.
address@hidden The user passphrase is directly used as the encryption key. A
poorly
+chosen or short passphrase will compromise the security of the encryption.
address@hidden In the event of the passphrase being compromised there is no way
to
+change the passphrase to protect data in any qcow images. The files must
+be cloned, using a different encryption passphrase in the new file. The
+original file must then be securely erased using a program like shred,
+though even this is ineffective with many modern storage technologies.
address@hidden itemize
+
+Use of qcow / qcow2 encryption is thus strongly discouraged. Users are
+recommended to use an alternative encryption technology such as the
+Linux dm-crypt / LUKS system.
@item cluster_size
Changes the qcow2 cluster size (must be between 512 and 2M). Smaller cluster
--
1.8.5.3
- [Qemu-devel] [PULL 0/8] Block patches, Stefan Hajnoczi, 2014/01/31
- [Qemu-devel] [PULL 1/8] Describe flaws in qcow/qcow2 encryption in the docs,
Stefan Hajnoczi <=
- [Qemu-devel] [PULL 3/8] block: remove qcow2 .bdrv_make_empty implementation, Stefan Hajnoczi, 2014/01/31
- [Qemu-devel] [PULL 4/8] block/vmdk: add basic .bdrv_check support, Stefan Hajnoczi, 2014/01/31
- [Qemu-devel] [PULL 5/8] qemu-iotests: Drop assert_no_active_commit in case 040, Stefan Hajnoczi, 2014/01/31
- [Qemu-devel] [PULL 2/8] block: remove QED .bdrv_make_empty implementation, Stefan Hajnoczi, 2014/01/31
- [Qemu-devel] [PULL 8/8] qemu-iotests: only run 071 on qcow2, Stefan Hajnoczi, 2014/01/31
- [Qemu-devel] [PULL 6/8] block/vhdx: Error checking fixes, Stefan Hajnoczi, 2014/01/31
- [Qemu-devel] [PULL 7/8] dataplane: Comment fix, Stefan Hajnoczi, 2014/01/31