Re: storage backup with encryption on-the-fly ?

On 06/04/2023 16:12, Peter Krempa wrote: > On Thu, Apr 06, 2023 at 15:22:10 +0200, lejeczek wrote: > > Hi guys. > > > > Is there a solution, perhaps a function of libvirt, to backup guest's > > storage and encrypt the resulting image file? > > On-the-fly ideally. > > If not ready/built-in solution then perhaps a best technique you > > recommend/use? > > I currently use 'backup-begin' on qcow2s, which are LUKS encrypted. > libvirt's block code supports the raw+luks and qcow2+luks encrypted > image formats with qemu. You should be able to use both for backups too: > > > <domainbackup mode='push'> > <disks> > <disk name='vda' type='file'> > <driver type='qcow2'/> > <target file='/tmp/backup-test-images/backup-vda.qcow2'> > <encryption format='luks'> > <secret type='passphrase' uuid='d5c7780c-80c4-45eb-bee9-9fbbc1f3847c'/> > </encryption> > </target> > </disk> > </domainbackup> > > Another option would be to use an encrypted device-mapper device via the > block backend. > > Lastly if you need any other storage format the 'pull' mode of backups > exposes a (optionally TLS-encrypted) NBD socket from where a client > application can pull the blocks for backup and store them in any way it > wants. > That works as I hoped, nice & smooth, I've not had the right xml syntax. Are there any docs with more details on the other two alternatives? many thanks, L.