[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 02/13] qcrypto-luks: implement encryption key management
From: |
Daniel P . Berrangé |
Subject: |
Re: [PATCH 02/13] qcrypto-luks: implement encryption key management |
Date: |
Wed, 5 Feb 2020 10:23:03 +0000 |
User-agent: |
Mutt/1.13.3 (2020-01-12) |
On Wed, Feb 05, 2020 at 10:30:11AM +0100, Kevin Wolf wrote:
> Am 05.02.2020 um 09:24 hat Markus Armbruster geschrieben:
> > Daniel, Kevin, any comments or objections to the QAPI schema design
> > sketch developed below?
> >
> > For your convenience, here's the result again:
> >
> > { 'enum': 'LUKSKeyslotState',
> > 'data': [ 'active', 'inactive' ] }
> > { 'struct': 'LUKSKeyslotActive',
> > 'data': { 'secret': 'str',
> > '*iter-time': 'int } }
> > { 'union': 'LUKSKeyslotAmend',
> > 'base': { '*keyslot': 'int',
> > 'state': 'LUKSKeyslotState' }
> > 'discriminator': 'state',
> > 'data': { 'active': 'LUKSKeyslotActive' } }
We need 'secret' in the 'inactive' case too
>
> I think one of the requirements was that you can specify the keyslot not
> only by using its number, but also by specifying the old secret. Trivial
> extension, you just get another optional field that can be specified
> instead of 'keyslot'.
>
> Resulting commands:
>
> Adding a key:
> qemu-img amend -o encrypt.keys.0.state=active,encrypt.keys.0.secret=sec0
> test.qcow2
>
> Deleting a key:
> qemu-img amend -o encrypt.keys.0.state=inactive,encrypt.keys.0.keyslot=2
> test.qcow2
I think this is good as a design.
Expanding the examples to cover all scenarios we've discussed
- Activating a new keyslot, auto-picking slot
qemu-img amend -o encrypt.keys.0.state=active,\
encrypt.keys.0.secret=sec0 \
test.qcow2
Must raise an error if no free slots
- Activating a new keyslot, picking a specific slot
qemu-img amend -o encrypt.keys.0.state=active,\
encrypt.keys.0.secret=sec0 \
encrypt.keys.0.keyslot=3 \
test.qcow2
Must raise an error if slot is already active
- Deactivating a old keyslot, auto-picking slot(s) from existing password
qemu-img amend -o encrypt.keys.0.state=inactive,\
encrypt.keys.0.secret=sec0 \
test.qcow2
Must raise an error if this would leave zero keyslots
after processing.
- Deactivating a old keyslot, picking a specific slot
qemu-img amend -o encrypt.keys.0.state=inactive,\
encrypt.keys.0.keyslot=2 \
test.qcow2
Always succeeds even if zero keyslots left.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Markus Armbruster, 2020/02/05
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Kevin Wolf, 2020/02/05
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Markus Armbruster, 2020/02/05
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Kevin Wolf, 2020/02/05
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Markus Armbruster, 2020/02/05
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Markus Armbruster, 2020/02/06
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Daniel P . Berrangé, 2020/02/06
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Max Reitz, 2020/02/06
Re: [PATCH 02/13] qcrypto-luks: implement encryption key management,
Daniel P . Berrangé <=
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Markus Armbruster, 2020/02/05
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Markus Armbruster, 2020/02/06
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Daniel P . Berrangé, 2020/02/06
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Kevin Wolf, 2020/02/06
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Markus Armbruster, 2020/02/06
- Re: [PATCH 02/13] qcrypto-luks: implement encryption key management, Maxim Levitsky, 2020/02/06