Hello,
the following patches add full support for qcow/qcow2 volume encryption,
assuming a client that supports it.
New XML tags are defined to represent encryption parameters (currently
format and passphrase, more can be added in the future), e.g.
<encryption format='qcow'>
<passphrase>c2lsbHk=</passphrase>
</encryption>
(passphrase content uses base64)
The <encryption> tag can be added to a <volume> node passed to
virStorageVolCreateXML() to create an encrypted volume, or to a
<disk> node inside a <domain> to specify what encryption parameters to
use for a domain. If the domain is persistent, the parameters
(including the passphrase) will be saved unencrypted in /etc/libvirtd;
the primary use case is to store the parameters outside of libvirtd,
(perhaps by virt-manager in a GNOME keyring).
Possible enhancements:
- Documentation and test cases. I'll write both if the code is acceptable,
I wanted to make the code available for review first.
- Support for "dumb" clients that don't know anything about encryption
formats and the required parameters: adding an encryption format to libvirt
would automatically make it supported in all clients.
Such a client would only request that a volume should be created when
creating it, and libvirt would choose an appropriate format, parameters
and passphrase/key and return it to the client, who could later pass it
unmodified inside a <domain>.
This requires public API additions to let libvirt return the encryption
information as one of the results of a volume creation operation.
- Support for storing the passphrases/keys used by persistent domains
outside of the main XML files, e.g. in a separate passphrase-encrypted
file that must be entered on libvirtd startup.
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list