Re: [Qemu-devel] Can I mount encrypt qcow2?

[陳培泓]

oh~ I don't know can expose the LUKS encryption. I'm sure the older(AES)
can't be mounted by qemu-nbd.

If I encrypt by the command you recommended:

> qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
>              --image-opts driver=qcow2,file.filename=
> demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0


Supposed the encrypted file called disk_encry.qcow2
Can I mount disk_encry.qcow2 by the cmd?

> qemu-nbd -c /dev/nbd0 disk_encry.qcow2




2017-07-20 16:59 GMT+08:00 Daniel P. Berrange <address@hidden>:

> On Thu, Jul 20, 2017 at 10:43:53AM +0800, 陳培泓 wrote:
> > Can I mount encrypt qcow2 file through qemu-nbd?
>
> What encryption format are you referring to ?  The old AES encrypt, or the
> new LUKS encrypt ? The latter is the only one people should be using, and
> you can expose it with
>
>    qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
>              --image-opts driver=qcow2,file.filename=
> demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
>
> Note that 'passwd.txt' file must *not* contain a newline. eg create it
> with   'echo -n 123456 > passwd.txt' - the -n flag to omit the newline
>
> You should only do decrypt in qemu-nbd, if you are trying to interoperate
> with non-QEMU tools.  If you are exposing the NBD volume to a QEMU system
> emulator, you should make the NBD server expose the file as raw, and let
> the  QEMU client do the decryption instead, so data over the NBD socket
> is still secure.
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>