On Tue, Jun 21, 2016 at 15:03:51 +0200, Peter Krempa wrote:
On Mon, Jun 13, 2016 at 20:27:58 -0400, John Ferlan wrote:
> Generate the luks command line using the AES secret key to encrypt the
> luks secret. A luks secret object will be in addition to a an AES secret.
>
> Add tests for sample output
>
> Signed-off-by: John Ferlan <jferlan(a)redhat.com>
> ---
[...]
> @@ -1237,10 +1238,13 @@ qemuBuildDriveStr(virDomainDiskDefPtr
disk,
> qemuBufferEscapeComma(&opt, source);
> virBufferAddLit(&opt, ",");
>
> - if (secinfo && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES)
{
> + if (secinfo && secinfo->type ==
VIR_DOMAIN_SECRET_INFO_TYPE_AES)
> virBufferAsprintf(&opt, "password-secret=%s,",
> secinfo->s.aes.alias);
> - }
> +
> + if (encinfo)
> + virQEMUBuildLuksOpts(&opt, disk->src->encryption,
> + encinfo->s.aes.alias);
This wrapper is not really useful here. It only adds "key-secret=" all
the other options are necessary only if creating the volume.
Okay, in the end this might be a reasonable idea if we'll want to add
support for block-copy-ing into a luks volume.
On the other hand, you'll need to disallow snapshots if the disk is
LUKS until we add support for full backing chain tracking since you'll
lose the definitions for the key once you take a snapshot. A second
start of that VM will not be possible then.