On Wed, Jun 07, 2017 at 06:55:39PM +0200, Max Reitz wrote: > On 2017-06-01 19:27, Daniel P. Berrange wrote: > > This converts the qcow driver to make use of the QCryptoBlock > > APIs for encrypting image content. This is only wired up to > > permit use of the legacy QCow encryption format. Users who wish > > to have the strong LUKS format should switch to qcow2 instead. > > > > With this change it is now required to use the QCryptoSecret > > object for providing passwords, instead of the current block > > password APIs / interactive prompting. > > > > Beware, nit picks incoming: > > > $QEMU \ > > -object secret,id=sec0,filename=/home/berrange/encrypted.pw \> > > -drive file=/home/berrange/encrypted.qcow,encrypt.format=qcow,\ > > encrypt.format should be "aes". > > > encrypt.key-secret=sec0 > > This doesn't work at all, though, because: > > Use of AES-CBC encrypted qcow images is no longer supported in system > emulators > You can use 'qemu-img convert' to convert your image to an alternative > supported format, such as unencrypted qcow, or raw with the LUKS format > instead.
Good point. I'll leave this example here, since it is useful to illustrate the overall syntax approach, but I'll add a note that this example won't let you run the VM > > Likewise when creating images with the legacy AES-CBC format > > > > qemu-img create -f qcow \ > > -object secret,id=sec0,filename=/home/berrange/encrypted.pw \ > > Should be --object. Yep > > > -o encrypt.format=aes,encrypt.key-secret=sec0 \ > > /home/berrange/encrypted.qcow > > There should be a size here to make it work. Ok Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
