On Tue, Jul 21, 2009 at 01:11:57PM +0200, Miloslav Trma?? wrote:
Define an <encryption> tag specifying volume encryption format and format-depenedent parameters (e.g. passphrase, cipher name, key length, key).
In most cases, the "secrets" (passphrases/keys) should only be transferred from libvirt users to libvirt, not the other way around. (Volume creation, when libvirt generates secrets for the user, is the only planned exception).
Permanent storage of the secrets should be implemented outside of libvirt, although virDomainDefineXML() will cause libvirtd to store the secret locally with a domain.
Only the qcow/qcow2 encryption format is currently supported, with the key/passphrase represented using base64.
This patch does not add any users; the <encryption> tag is added in the following patches to both volumes (to support encrypted volume creation) and domains.
[snip]
+#include <stdbool.h> +#include <libxml/tree.h> + +enum virStorageEncryptionFormat { + VIR_STORAGE_ENCRYPTION_FORMAT_UNENCRYPTED = 0, + VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */ + + VIR_STORAGE_ENCRYPTION_FORMAT_LAST, +}; +VIR_ENUM_DECL(virStorageEncryptionFormat) + +typedef struct _virStorageEncryption virStorageEncryption; +typedef virStorageEncryption *virStorageEncryptionPtr; +struct _virStorageEncryption { + int format; /* enum virStorageEncryptionFormat */ + + union { /* Format-specific data */ + struct { + char *passphrase; + } qcow; + } v; +};
As with the XML format, I'd like to avoid encoding qcow as a structural element here. Instead go for a generic storage of secrets. enum virStorageEncryptionSecret { VIR_STORAGE_ENCRYPTION_SECRET_PASSPHRASE, }; struct virStorageSecret{ int type; /* enum virStorageSecret */ union { char *passphrase; } data; }; struct _virStorageEncryption { unsigned encrypted : 1; int nsecrets; virStorageSecret *secrets; } This allows for > 1 secret should we need that (eg, for LUKS/cryptsetup volume) Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|