oh~ I don't know can expose the LUKS encryption. I'm sure the older(AES) can't be mounted by qemu-nbd.
If I encrypt by the command you recommended: > qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \ > --image-opts driver=qcow2,file.filename= > demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0 Supposed the encrypted file called disk_encry.qcow2 Can I mount disk_encry.qcow2 by the cmd? > qemu-nbd -c /dev/nbd0 disk_encry.qcow2 2017-07-20 16:59 GMT+08:00 Daniel P. Berrange <berra...@redhat.com>: > On Thu, Jul 20, 2017 at 10:43:53AM +0800, 陳培泓 wrote: > > Can I mount encrypt qcow2 file through qemu-nbd? > > What encryption format are you referring to ? The old AES encrypt, or the > new LUKS encrypt ? The latter is the only one people should be using, and > you can expose it with > > qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \ > --image-opts driver=qcow2,file.filename= > demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0 > > Note that 'passwd.txt' file must *not* contain a newline. eg create it > with 'echo -n 123456 > passwd.txt' - the -n flag to omit the newline > > You should only do decrypt in qemu-nbd, if you are trying to interoperate > with non-QEMU tools. If you are exposing the NBD volume to a QEMU system > emulator, you should make the NBD server expose the file as raw, and let > the QEMU client do the decryption instead, so data over the NBD socket > is still secure. > > Regards, > Daniel > -- > |: https://berrange.com -o- https://www.flickr.com/photos/ > dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- https://www.instagram.com/ > dberrange :| >
