[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] Adding dmcrypt to QEMU block drivers
From: |
Hamilton, Peter A. |
Subject: |
[Qemu-devel] Adding dmcrypt to QEMU block drivers |
Date: |
Mon, 17 Mar 2014 20:48:08 -0400 |
Hi qemu-devel,
I am a member of a development team based out of the Johns Hopkins University
Applied Physics Laboratory. Over the past year and a half, we've been working
with the OpenStack community on several security features for their Compute and
Block Storage services that leverage encrypted data storage. One of these
features, ephemeral storage encryption for qcow2-based virtual machines, would
leverage the encryption functionality built into the qcow2 file format.
However, there are significant issues with the security and implementation of
the qcow2 encryption feature that preclude us from using it in OpenStack. For
example, there is no support for the following security features: rekeying of
encrypted images, key stretching, and cipher configurability.
After discussing some of these details with Daniel Berrange, we are interested
in working with you to add and improve the encryption support offered by QEMU.
In the past, Daniel has advocated the full adaptation of the LUKS file format
used by dmcrypt, which we currently use in OpenStack. Our proposal would focus
on adding a dmcrypt-style encryption layer above the QEMU block driver layer,
which would transparently encrypt and decrypt all data written to or read from
the underlying block device. This would provide encryption support for all
backends and file formats supported by QEMU that leverage block drivers. Such
support in QEMU provides significantly improved security and renders the
existing encryption scheme provided by qcow2 obsolete.
My intent at the moment is to get a feel for your thoughts and concerns about
this proposal and to determine who is currently working on QEMU security
features or would be interested in working with us on this feature. I've found
past discussions in the QEMU community addressing these encryption concerns but
am unaware at the moment what the status is for those development efforts. I'd
be happy to provide additional information about our past and current work on
OpenStack security if anyone is interested.
Selected References:
OpenStack contributions
- our blueprint for encrypted block storage -
https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes
- our blueprint for encrypted ephemeral storage -
https://blueprints.launchpad.net/nova/+spec/encrypt-ephemeral-storage
QEMU security discussions
- proposals for improving QEMU encryption -
https://lists.gnu.org/archive/html/qemu-devel/2013-07/msg03904.html
- prior discussion between myself and Daniel Berrange on encryption -
http://lists.gnu.org/archive/html/qemu-devel/2013-06/msg04869.html
- patch describing qcow2 encryption issues -
https://lists.gnu.org/archive/html/qemu-devel/2014-01/msg02802.html
Thanks for your time,
Peter Hamilton
- [Qemu-devel] Adding dmcrypt to QEMU block drivers,
Hamilton, Peter A. <=