> It also means you can't change the password of an existing image - you have > to create a new image with a new password & re-encrypt the data.
Following up on this point, since "qemu-img create" cannot be used to specify a password, is "qemu-img convert" the only command that can be used to provide one? Furthermore, since "convert" conducts a full copy of the source image, does this mean that it is not possible to have an encrypted CoW image with an encrypted backing file, where each is encrypted with a different password? The tests I have conducted up to this point seem to indicate that this is true. Thanks, Peter -----Original Message----- From: Daniel P. Berrange [mailto:berra...@redhat.com] Sent: Thursday, June 27, 2013 5:36 AM To: Hamilton, Peter A. Cc: qemu-devel@nongnu.org Subject: Re: [Qemu-devel] qemu-img create encryption On Wed, Jun 26, 2013 at 02:52:51PM -0400, Hamilton, Peter A. wrote: > I've been doing some work with qemu-img and encrypted qcow2 images and > have noticed that "qemu-img create" does not prompt for a password to > encrypt new images, defaulting (from the documentation I've read) to > the empty string as a password. Why does "qemu-img create" work this way? > > I haven't been able to find any good, authoritative sources on this > topic, so if anyone knows of good documentation or rationale, please let me > know. The qcow2 encryption format is very simple. The password you provide is directly used to encrypt the data blocks. There is level on indirection as you have with, say LUKS, whereby the user password is used to encrypt a separate key in the file header. As such there is no need for the qcow2 encryption key to be known when creating a file, only when reading/writing data blocks. Using the password directly as the encryption key makes the qcow2 data encryption very vulnerable to weak passwords. It also means you can't change the password of an existing image - you have to create a new image with a new password & re-encrypt the data. LUKS is a much stronger crypto design that qcow2's built-in encryption. I'd like to see qemu gain a block driver that could natively support the LUKS data format as a strong replacement for qcow2's encryption approach, but there's no work in this area. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
smime.p7s
Description: S/MIME cryptographic signature
