On Thu, Apr 06, 2023 at 15:22:10 +0200, lejeczek wrote:
> Hi guys.
>
> Is there a solution, perhaps a function of libvirt, to backup guest's
> storage and encrypt the resulting image file?
> On-the-fly ideally.
> If not ready/built-in solution then perhaps a best technique you
> recommend/use?
> I currently use 'backup-begin' on qcow2s, which are LUKS encrypted.
libvirt's block code supports the raw+luks and qcow2+luks encrypted
image formats with qemu. You should be able to use both for backups too:
<domainbackup mode='push'>
<disks>
<disk name='vda' type='file'>
<driver type='qcow2'/>
<target file='/tmp/backup-test-images/backup-vda.qcow2'>
<encryption format='luks'>
<secret type='passphrase' uuid='d5c7780c-80c4-45eb-bee9-9fbbc1f3847c'/>
</encryption>
</target>
</disk>
</domainbackup>
Another option would be to use an encrypted device-mapper device via the
block backend.
Lastly if you need any other storage format the 'pull' mode of backups
exposes a (optionally TLS-encrypted) NBD socket from where a client
application can pull the blocks for backup and store them in any way it
wants.
