On Thu, Jul 20, 2017 at 05:07:49PM +0800, 陳培泓 wrote:
> oh~ I don't know can expose the LUKS encryption. I'm sure the older(AES)
> can't be mounted by qemu-nbd.
It can be mounted, with current git master (all the commands I show
below are for git master btw).
You should, however, *never* use the old AES format any more. It is
broken by design and not considered secure.
> If I encrypt by the command you recommended:
>
> > qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
> > --image-opts driver=qcow2,file.filename=
> > demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
This *is* exposing the encrypted file - not creating it. If you
want to connect to a host nbd device then you use the command
above, with the -c arg
$ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
-c /dev/nbd0 \
--image-opts
driver=qcow2,file.filename=demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
If you have a legacy AES qcow2 file the syntax is very similar
$ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
-c /dev/nbd0 \
--image-opts
driver=qcow2,file.filename=demo.qcow2,encrypt.format=aes,encrypt.key-secret=sec0
Note we just changed the encrypt.format parameter there.
To actually create an encrypted file in the first place you need the
qemu-img command
$ qemu-img create --object secret,id=sec0,file=passwd.txt,format=raw \
-f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 \
demo.qcow2 1G
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
