git.proxmox.com Git - mirror

author	Daniel P. Berrange <berrange@redhat.com>
	Fri, 23 Jun 2017 16:24:08 +0000 (17:24 +0100)
committer	Max Reitz <mreitz@redhat.com>
	Tue, 11 Jul 2017 15:44:56 +0000 (17:44 +0200)
commit	d85f4222b4681da7ebf8a90b26e085a68fa2c55a
tree	d3b9ace6e9ffa4f063d194d6f6262be8b8c2a596	tree
parent	1fad1f9400614ebbce9f3ee301fa8d64cbf715e2	commit \| diff

qcow: convert QCow to use QCryptoBlock for encryption

This converts the qcow driver to make use of the QCryptoBlock
APIs for encrypting image content. This is only wired up to
permit use of the legacy QCow encryption format. Users who wish
to have the strong LUKS format should switch to qcow2 instead.

With this change it is now required to use the QCryptoSecret
object for providing passwords, instead of the current block
password APIs / interactive prompting.

  $QEMU \
    -object secret,id=sec0,file=/home/berrange/encrypted.pw \
    -drive file=/home/berrange/encrypted.qcow,encrypt.format=aes,\
           encrypt.key-secret=sec0

Though note that running QEMU system emulators with the AES
encryption is no longer supported, so while the above syntax
is valid, QEMU will refuse to actually run the VM in this
particular example.

Likewise when creating images with the legacy AES-CBC format

  qemu-img create -f qcow \
    --object secret,id=sec0,file=/home/berrange/encrypted.pw \
    -o encrypt.format=aes,encrypt.key-secret=sec0 \
    /home/berrange/encrypted.qcow 64M

Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20170623162419.26068-10-berrange@redhat.com
Signed-off-by: Max Reitz <mreitz@redhat.com>

block/crypto.c		diff \| blob \| blame \| history
block/crypto.h		diff \| blob \| blame \| history
block/qcow.c		diff \| blob \| blame \| history
qapi/block-core.json		diff \| blob \| blame \| history