See the
<a href="formatstorageencryption.html">Storage Encryption</a>
page for more information.
+ <p/>
+ Note that the 'qcow' format of encryption is broken and thus is no
+ longer supported for use with disk images.
+ (<span class="since">Since libvirt 4.5.0</span>)
</dd>
<dt><code>reservations</code></dt>
<dd><span class="since">Since libvirt 4.4.0</span>, the
The <code>qcow</code> format specifies that the built-in encryption
support in <code>qcow</code>- or <code>qcow2</code>-formatted volume
images should be used. A single
- <code><secret type='passphrase'></code> element is expected. If
- the <code>secret</code> element is not present during volume creation,
- a secret is automatically generated and attached to the volume.
+ <code><secret type='passphrase'></code> element is expected. Note
+ that this encryption is inherently broken and should not be used any more.
</p>
<h3><a id="StorageEncryptionLuks">"luks" format</a></h3>
<p>
return -1;
}
+ if ((src->format == VIR_STORAGE_FILE_QCOW ||
+ src->format == VIR_STORAGE_FILE_QCOW2) &&
+ src->encryption &&
+ (src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT ||
+ src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_QCOW)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("old qcow/qcow2 encryption is not supported"));
+ return -1;
+ }
+
if (src->format == VIR_STORAGE_FILE_QCOW2 &&
src->encryption &&
src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS &&
/usr/bin/qemu-system-i686 \
-name encryptdisk \
-S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-encryptdisk/master-key.aes \
-machine pc,accel=tcg,usb=off,dump-guest-core=off \
-m 1024 \
-smp 1,sockets=1,cores=1,threads=1 \
-no-acpi \
-boot c \
-usb \
--drive file=/storage/guest_disks/encryptdisk,format=qcow2,if=none,\
+-object secret,id=virtio-disk0-luks-secret0,\
+data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+-drive file=/storage/guest_disks/encryptdisk,encrypt.format=luks,\
+encrypt.key-secret=virtio-disk0-luks-secret0,format=qcow2,if=none,\
id=drive-virtio-disk0 \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
id=virtio-disk0 \
<driver name='qemu' type='qcow2'/>
<source file='/storage/guest_disks/encryptdisk'/>
<target dev='vda' bus='virtio'/>
- <encryption format='qcow'>
+ <encryption format='luks'>
<secret type='passphrase' usage='/storage/guest_disks/encryptdisk'/>
</encryption>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
/usr/bin/qemu-system-i686 \
-name encryptdisk \
-S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-encryptdisk/master-key.aes \
-machine pc,accel=tcg,usb=off,dump-guest-core=off \
-m 1024 \
-smp 1,sockets=1,cores=1,threads=1 \
-no-acpi \
-boot c \
-usb \
--drive file=/storage/guest_disks/encryptdisk,format=qcow2,if=none,\
+-object secret,id=virtio-disk0-luks-secret0,\
+data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+-drive file=/storage/guest_disks/encryptdisk,encrypt.format=luks,\
+encrypt.key-secret=virtio-disk0-luks-secret0,format=qcow2,if=none,\
id=drive-virtio-disk0 \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
id=virtio-disk0 \
<driver name='qemu' type='qcow2'/>
<source file='/storage/guest_disks/encryptdisk'/>
<target dev='vda' bus='virtio'/>
- <encryption format='qcow'>
+ <encryption format='luks'>
<secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
DO_TEST("cpu-tsc-frequency", QEMU_CAPS_KVM);
qemuTestSetHostCPU(driver.caps, NULL);
- DO_TEST("encrypted-disk", NONE);
- DO_TEST("encrypted-disk-usage", NONE);
+ DO_TEST("encrypted-disk", QEMU_CAPS_QCOW2_LUKS, QEMU_CAPS_OBJECT_SECRET);
+ DO_TEST("encrypted-disk-usage", QEMU_CAPS_QCOW2_LUKS, QEMU_CAPS_OBJECT_SECRET);
# ifdef WITH_GNUTLS
DO_TEST("luks-disks", QEMU_CAPS_OBJECT_SECRET);
DO_TEST("luks-disks-source", QEMU_CAPS_OBJECT_SECRET);
<driver name='qemu' type='qcow2'/>
<source file='/storage/guest_disks/encryptdisk'/>
<target dev='vda' bus='virtio'/>
- <encryption format='qcow'>
+ <encryption format='luks'>
<secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
DO_TEST("pci-rom-disabled-invalid", NONE);
DO_TEST("pci-serial-dev-chardev", NONE);
- DO_TEST("encrypted-disk", NONE);
- DO_TEST("encrypted-disk-usage", NONE);
+ DO_TEST("encrypted-disk", QEMU_CAPS_QCOW2_LUKS);
+ DO_TEST("encrypted-disk-usage", QEMU_CAPS_QCOW2_LUKS);
DO_TEST("luks-disks", NONE);
DO_TEST("luks-disks-source", NONE);
DO_TEST("memtune", NONE);
projects / libvirt.git / commitdiff