"Daniel P. Berrange" <berra...@redhat.com> writes: > The qemu-img.texi / qemu-doc.texi files currently describe the > qcow2/qcow2 encryption thus > > "Encryption uses the AES format which is very secure (128 bit > keys). Use a long password (16 characters) to get maximum > protection." > > While AES is indeed a strong encryption system, the way that > QCow/QCow2 use it results in a poor/weak encryption system. > Due to the use of predictable IVs
Sector number zero-extended to 128 bits. > it is vulnerable to chosen > plaintext attacks which can reveal the existance of encrypted > data. > > The direct use of the user passphrase as the encryption key > also leads to an inability to change the passphrase of an > image. If passphrase is ever compromised the image data will > all be vulnerable, since it cannot be re-encrypted. The admin > has to clone the image files with a new passphrase and then > use a program like shred to secure erase all the old files. > > Recommend against any use of QCow/QCow2 encryption, directing > users to dm-crypt / LUKS which can meet modern cryptography > best practices. > > Signed-off-by: Daniel P. Berrange <berra...@redhat.com> Amateur crypto. Reviewed-by: Markus Armbruster <arm...@redhat.com>
