Re: [Qemu-devel] Can I mount encrypt qcow2?

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Can I mount encrypt qcow2?

From:	Daniel P. Berrange
Subject:	Re: [Qemu-devel] Can I mount encrypt qcow2?
Date:	Thu, 20 Jul 2017 10:12:24 +0100
User-agent:	Mutt/1.8.3 (2017-05-23)

On Thu, Jul 20, 2017 at 05:07:49PM +0800, 陳培泓 wrote:
> oh~ I don't know can expose the LUKS encryption. I'm sure the older(AES)
> can't be mounted by qemu-nbd.

It can be mounted, with current git master (all the commands I show
below are for git master btw).

You should, however, *never* use the old AES format any more. It is
broken by design and not considered secure.

> If I encrypt by the command you recommended:
> 
> > qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
> >              --image-opts driver=qcow2,file.filename=
> > demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0

This *is* exposing the encrypted file -  not creating it. If you
want to connect to a host nbd device then you use the command
above, with the -c arg

$ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
           -c /dev/nbd0 \
           --image-opts 
driver=qcow2,file.filename=demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0


If you have a legacy AES qcow2 file the syntax is very similar

$ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
           -c /dev/nbd0 \
           --image-opts 
driver=qcow2,file.filename=demo.qcow2,encrypt.format=aes,encrypt.key-secret=sec0

Note we just changed the encrypt.format parameter there.


To actually create an encrypted file in the first place you need the
qemu-img command

$ qemu-img create --object secret,id=sec0,file=passwd.txt,format=raw \
           -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 \
           demo.qcow2 1G
  

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] Can I mount encrypt qcow2?, 陳培泓, 2017/07/19
- Re: [Qemu-devel] Can I mount encrypt qcow2?, Daniel P. Berrange, 2017/07/20
  - Re: [Qemu-devel] Can I mount encrypt qcow2?, 陳培泓, 2017/07/20
    - Re: [Qemu-devel] Can I mount encrypt qcow2?, Daniel P. Berrange <=
    - Re: [Qemu-devel] Can I mount encrypt qcow2?, 陳培泓, 2017/07/20
    - Re: [Qemu-devel] Can I mount encrypt qcow2?, Daniel P. Berrange, 2017/07/21
    - Re: [Qemu-devel] Can I mount encrypt qcow2?, 陳培泓, 2017/07/21
    - Re: [Qemu-devel] Can I mount encrypt qcow2?, Daniel P. Berrange, 2017/07/21
    - Re: [Qemu-devel] Can I mount encrypt qcow2?, 陳培泓, 2017/07/21
    - Re: [Qemu-devel] Can I mount encrypt qcow2?, Eric Blake, 2017/07/21
    - Re: [Qemu-devel] Can I mount encrypt qcow2?, Eric Blake, 2017/07/21
    - Re: [Qemu-devel] Can I mount encrypt qcow2?, Daniel P. Berrange, 2017/07/21
    - Re: [Qemu-devel] Can I mount encrypt qcow2?, Eric Blake, 2017/07/21
    - Re: [Qemu-devel] Can I mount encrypt qcow2?, 陳培泓, 2017/07/23

Prev by Date: Re: [Qemu-devel] Can I mount encrypt qcow2?
Next by Date: [Qemu-devel] [PATCH v3 0/3] scripts/qemu.py small fixes
Previous by thread: Re: [Qemu-devel] Can I mount encrypt qcow2?
Next by thread: Re: [Qemu-devel] Can I mount encrypt qcow2?
Index(es):
- Date
- Thread