On 06/21/2016 08:08 AM, Peter Krempa wrote: > On Mon, Jun 13, 2016 at 20:27:53 -0400, John Ferlan wrote: >> Add a new secret type known as "key" - it will handle adding the secret >> objects that need a key (or passphrase), such as will soon be the case > > This may be misleading a "key" is not equal to a "passprhase" in usual > encryption terminology. Key usually refers to the actual encryption key > used to encrypt the data whereas passprhase is usually a human readable > secret string (which may not be random at all) used to access the key > later. > > The cryptsetup man page tends to treat them interchangably to some > extent (eg a key slot equals to passprhase, but the master key refers to > the actual encryption key used for the data). > > To avoid confusion I'd rather stick with "passphrase". > >> for a luks volume for both storage driver create and libvirt domain usage. >> >> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> >> --- While replying to review comments from 6/19, I realized another reason I went with "key" over "passphrase". Consider the existing/old qcow encryption format (http://libvirt.org/formatsecret.html) The <secret> XML looks like: <secret ephemeral='no' private='yes'> <description>Super secret name of my first puppy</description> <uuid>0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f</uuid> <usage type='volume'> <volume>/var/lib/libvirt/images/puppyname.img</volume> </usage> </secret> while the <domain> XML has: <encryption format='qcow'> <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/> </encryption> or once patch 11 hits: <encryption format='qcow'> <secret type='passphrase' usage='/var/lib/libvirt/images/puppyname.img'/> </encryption> where 'usage' matches 'volume' Using something other than passphrase allowed me to distinguish between that 'old' format and this new style... Using "passphrase" will then have <domain> format of: <encryption format='luks'> <secret type='passphrase' {uuid|usage}='...'>/ And a <secret> format of <secret ephemeral='no' private='yes'> <description>Sample</description> <uuid>0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f</uuid> <usage type='passphrase'> <passphrase>somestring</passphrase> </usage> </secret> where "somestring" is just a 'usage' string and not the actual passphrase which would be set by the 'secret-set-value' command. I could have the <secret> XML use something different than passphrase, but key just seemed to be the most reasonable beyond passphrase. Unless you have a different suggestion for a better name. John Hopefully this was clear... -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list