[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-block] [PATCH v1 00/15] Convert QCow[2] to QCryptoBlock & add
|
From: |
Max Reitz |
|
Subject: |
Re: [Qemu-block] [PATCH v1 00/15] Convert QCow[2] to QCryptoBlock & add LUKS support |
|
Date: |
Wed, 25 Jan 2017 16:58:32 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 |
On 03.01.2017 19:27, Daniel P. Berrange wrote:
> This series is a continuation of previous work to support LUKS in
> QEMU. The existing merged code supports LUKS as a standalone
> driver which can be layered over/under any other QEMU block device
> driver. This works well when using LUKS over protocol drivers (file,
> rbd, iscsi, etc, etc), but has some downsides when combined with
> format drivers like qcow2.
When trying out whether compressed images are actually encrypted (which
they are not, as I wrote in my last reply to patch 12), I noticed that
the user interface still has some flaws:
One is that you actually can't convert to encrypted images any more, or
if you can, it doesn't seem obvious to me:
$ ./qemu-img convert -O qcow2 --object secret,id=sec0,data=12345 \
-o encryption-format=luks,luks-key-secret=sec0 \
foo.qcow2 bar.qcow2
qemu-img: Could not open 'bar.qcow2': Parameter 'key-secret' is required
for cipher
The issue is that you have to specify the key secret as a runtime
parameter in addition to the creation option. Not only is that a bit
cumbersome, but it's also impossible because --image-opts doesn't work
for the output image.
The second flaw is also visible above: The parameter is called
"luks-key-secret" here, not just "key-secret". The error message should
reflect that.
Max
signature.asc
Description: OpenPGP digital signature
- Re: [Qemu-block] [PATCH v1 11/15] qcow2: convert QCow2 to use QCryptoBlock for encryption, (continued)
- Re: [Qemu-block] [PATCH v1 00/15] Convert QCow[2] to QCryptoBlock & add LUKS support,
Max Reitz <=