librbd encryption and guest XML

Hi, I have been trying to use the librbd engine to run a guest from an encrypted RBD image and am running into some problems. What I would like to do is: 1. Start from an unencrypted raw image with an OS 2. Make an encrypted clone of that image 3. Boot a guest from the encrypted clone image What I have tried so far (simplified): 1. Make a clone of the unencrypted image rbd clone images/unencrypted@snap images/encryptedclone 2. Format the clone image with encryption rbd encryption format images/encryptedclone luks1 passphrase.bin 3. Create guest XML with the encrypted clone [...] <disk type="network" device="disk"> <driver type="raw" cache="writeback"/> <source protocol="rbd" name="images/encryptedclone"> <host name="127.0.0.1" port="6789"/> <encryption format="luks" engine="librbd"> <secret type="passphrase" uuid="secretuuid"/> </encryption> </source> <auth username="cinder"> <secret type="ceph" uuid="othersecretuuid"/> </auth> <target dev="vda" bus="virtio"/> </disk> [...] and virDomainCreateWithFlags() with the XML. I don't get any errors from libvirt (no errors about loading encryption) but this configuration does not seem to work, the guest won't boot. If anyone can give me a hint what I'm doing wrong, I would appreciate it. Cheers, -melwitt