[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] Volume key in qcow3?
From: |
Kevin Wolf |
Subject: |
Re: [Qemu-devel] Volume key in qcow3? |
Date: |
Thu, 28 Jul 2011 16:21:13 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110707 Thunderbird/5.0 |
Am 28.07.2011 10:05, schrieb Frediano Ziglio:
> Hi,
> I noted that AES encryption using qcow2 just use the password given
> as as key (and also truncating it to 16 bytes == 128 bits).
> This is prone to brute force attacks and is not also easy to change
> password (you have to decrypt and encrypt again the entire image).
> LUKS and EncFS use another way. They generate a random key (the
> "volume key") then use the password you give to encrypt N times (where
> N is decided by security level or automatically based on time to
> decrypt the volume key. To change the password just give the old one,
> get the volume key and encrypt again using the new one. LUKS support
> also multiple "slots" to allow multiple password and even using an
> external key file.
> Obviously this require an additional extension to qcow2 so I think it
> require a new qcow3 format.
Yes, once we have qcow3, adding things like this should be easy enough.
I think the idea makes sense.
Another thing to consider with encryption is that we don't encrypt
metadata currently. I'm not entirely sure if this is a good or a bad
thing. Metadata is relatively predictable and I think that might hurt
the encryption? Though I'm really not an expert in this area.
Kevin