[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v8 09/20] qcow: convert QCow to use QCryptoBlock
|
From: |
Daniel P. Berrange |
|
Subject: |
Re: [Qemu-devel] [PATCH v8 09/20] qcow: convert QCow to use QCryptoBlock for encryption |
|
Date: |
Mon, 19 Jun 2017 14:58:57 +0100 |
|
User-agent: |
Mutt/1.8.0 (2017-02-23) |
On Wed, Jun 07, 2017 at 06:55:39PM +0200, Max Reitz wrote:
> On 2017-06-01 19:27, Daniel P. Berrange wrote:
> > This converts the qcow driver to make use of the QCryptoBlock
> > APIs for encrypting image content. This is only wired up to
> > permit use of the legacy QCow encryption format. Users who wish
> > to have the strong LUKS format should switch to qcow2 instead.
> >
> > With this change it is now required to use the QCryptoSecret
> > object for providing passwords, instead of the current block
> > password APIs / interactive prompting.
> >
>
> Beware, nit picks incoming:
>
> > $QEMU \
> > -object secret,id=sec0,filename=/home/berrange/encrypted.pw \>
> > -drive file=/home/berrange/encrypted.qcow,encrypt.format=qcow,\
>
> encrypt.format should be "aes".
>
> > encrypt.key-secret=sec0
>
> This doesn't work at all, though, because:
>
> Use of AES-CBC encrypted qcow images is no longer supported in system
> emulators
> You can use 'qemu-img convert' to convert your image to an alternative
> supported format, such as unencrypted qcow, or raw with the LUKS format
> instead.
Good point. I'll leave this example here, since it is
useful to illustrate the overall syntax approach, but
I'll add a note that this example won't let you run
the VM
> > Likewise when creating images with the legacy AES-CBC format
> >
> > qemu-img create -f qcow \
> > -object secret,id=sec0,filename=/home/berrange/encrypted.pw \
>
> Should be --object.
Yep
>
> > -o encrypt.format=aes,encrypt.key-secret=sec0 \
> > /home/berrange/encrypted.qcow
>
> There should be a size here to make it work.
Ok
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-devel] [PATCH v8 03/20] qcow: document another weakness of qcow AES encryption, (continued)
- [Qemu-devel] [PATCH v8 03/20] qcow: document another weakness of qcow AES encryption, Daniel P. Berrange, 2017/06/01
- [Qemu-devel] [PATCH v8 04/20] qcow: require image size to be > 1 for new images, Daniel P. Berrange, 2017/06/01
- [Qemu-devel] [PATCH v8 05/20] iotests: skip 042 with qcow which dosn't support zero sized images, Daniel P. Berrange, 2017/06/01
- [Qemu-devel] [PATCH v8 06/20] iotests: skip 048 with qcow which doesn't support resize, Daniel P. Berrange, 2017/06/01
- [Qemu-devel] [PATCH v8 08/20] qcow: make encrypt_sectors encrypt in place, Daniel P. Berrange, 2017/06/01
- [Qemu-devel] [PATCH v8 07/20] block: deprecate "encryption=on" in favor of "encrypt.format=aes", Daniel P. Berrange, 2017/06/01
- [Qemu-devel] [PATCH v8 09/20] qcow: convert QCow to use QCryptoBlock for encryption, Daniel P. Berrange, 2017/06/01
- [Qemu-devel] [PATCH v8 10/20] qcow2: make qcow2_encrypt_sectors encrypt in place, Daniel P. Berrange, 2017/06/01
- [Qemu-devel] [PATCH v8 12/20] qcow2: extend specification to cover LUKS encryption, Daniel P. Berrange, 2017/06/01
- [Qemu-devel] [PATCH v8 11/20] qcow2: convert QCow2 to use QCryptoBlock for encryption, Daniel P. Berrange, 2017/06/01
- [Qemu-devel] [PATCH v8 15/20] iotests: enable tests 134 and 158 to work with qcow (v1), Daniel P. Berrange, 2017/06/01
- [Qemu-devel] [PATCH v8 14/20] qcow2: add iotests to cover LUKS encryption support, Daniel P. Berrange, 2017/06/01
- [Qemu-devel] [PATCH v8 13/20] qcow2: add support for LUKS encryption format, Daniel P. Berrange, 2017/06/01
- [Qemu-devel] [PATCH v8 16/20] block: rip out all traces of password prompting, Daniel P. Berrange, 2017/06/01