Hey, guys I've been working on whether libvirt supports encrypted snapshots,Here are my versions of libvirt and qemu [root@xx ~]# libvirtd -V libvirtd (libvirt) 4.5.0 [root@xx ~]# qemu-img -V qemu-img version 2.12.0 (qemu-kvm-ev-2.12.0-33.1.el7_7.4) Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers 1. assign $MYSECRET to libvirt secret using the secret-define and secret-set-value commands,and $MYSECRET is in base64 format MYSECRET=`printf %s "123456" | base64` 2. created a disk encrypted in luks format qemu-img create --object secret,id=sec0,data=$MYSECRET,format=base64 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 enc.qcow220G 3. The encrypted disk is defined in the XML configuration file, as shown below.Then I successfully started the virtual machine. <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/root/enc.qcow2'/> <backingStore/> <target dev='hda' bus='ide'/> <encryption format='luks'> <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/> </encryption> <alias name='ide0-0-0'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> 4. According to the qemu documentation, an encrypted snap.qcow2 disk was created with enc.qcow2 as backing qemu-img create -f qcow2 -F qcow2 --object secret,id=sec0,data=$MYSECRET,format=base64 --object secret,id=sec1,data=$MYSECRET,format=base64 -o encrypt.format=luks,encrypt.key-secret=sec1 -b 'json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root/enc/enc.qcow2"}}' snap.qcow2 I used the same $MYSECRET as the password data for the disk. Here is the disk information for snap.qcow2 image: snap.qcow2 file format: qcow2 virtual size: 20G (21474836480 bytes) disk size: 480K encrypted: yes cluster_size: 65536 backing file: json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root//enc.qcow2"}} backing file format: qcow2 Format specific information: compat: 1.1 lazy refcounts: false refcount bits: 16 encrypt: ivgen alg: plain64 hash alg: sha256 cipher alg: aes-256 uuid: ab0e3f87-35e7-40cb-9888-9fe9bb54e981 format: luks cipher mode: xts slots: [0]: active: true iters: 115582 key offset: 4096 stripes: 4000 [1]: active: false key offset: 262144 [2]: active: false key offset: 520192 [3]: active: false key offset: 778240 [4]: active: false key offset: 1036288 [5]: active: false key offset: 1294336 [6]: active: false key offset: 1552384 [7]: active: false key offset: 1810432 payload offset: 2068480 master key iters: 30085 corrupt: false 5. Then I changed the configuration of the XML, as shown below.And re-define and start the virtual machine <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/root/snap.qcow2'/> <backingStore type='file'> <format type='qcow2'/> <source file='/root/enc.qcow2'/> <backingStore/> </backingStore> <target dev='hda' bus='ide'/> <encryption format='luks'> <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/> </encryption> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> Then the startup failed and an error was thrown. As shown below. qemu-kvm: -drive file=/root/enc/vm/enc-snap.qcow2,encrypt.format=luks,encrypt.key-secret=ide0-0-0-luks-secret0,format=qcow2,if=none,id=drive-ide0-0-0: Could not open backing file: No secret with id 'sec0' The sec0 secret id could not be found in the backing file, this is my problem. Is there a problem with the way I implemented it, or does libvirt currently not support this? Any tips or help will be appreciated, Looking forward to your reply. Thank you | | 18781374080 | | 18781374080@163.com | 签名由网易邮箱大师定制