Hey, guys
I've been working on whether libvirt supports encrypted snapshots,Here are my versions of libvirt and qemu
[root@xx ~]# libvirtd -V
libvirtd (libvirt) 4.5.0
[root@xx ~]# qemu-img -V
qemu-img version 2.12.0 (qemu-kvm-ev-2.12.0-33.1.el7_7.4)
Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers
1. assign $MYSECRET to libvirt secret using the secret-define and secret-set-value commands,and $MYSECRET is in base64 format
MYSECRET=`printf %s "123456" | base64`
2. created a disk encrypted in luks format
qemu-img create --object secret,id=sec0,data=$MYSECRET,format=base64 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 enc.qcow220G3. The encrypted disk is defined in the XML configuration file, as shown below.Then I successfully started the virtual machine.
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/root/enc.qcow2'/>
<backingStore/>
<target dev='hda' bus='ide'/>
<encryption format='luks'>
<secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/>
</encryption>
<alias name='ide0-0-0'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
4. According to the qemu documentation, an encrypted snap.qcow2 disk was created with enc.qcow2 as backing
qemu-img create -f qcow2 -F qcow2 --object secret,id=sec0,data=$MYSECRET,format=base64 --object secret,id=sec1,data=$MYSECRET,format=base64 -o encrypt.format=luks,encrypt.key-secret=sec1 -b 'json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root/enc/enc.qcow2"}}' snap.qcow2
I used the same $MYSECRET as the password data for the disk. Here is the disk information for snap.qcow2
image: snap.qcow2
file format: qcow2
virtual size: 20G (21474836480 bytes)
disk size: 480K
encrypted: yes
cluster_size: 65536
backing file: json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root//enc.qcow2"}}
backing file format: qcow2
Format specific information:
compat: 1.1
lazy refcounts: false
refcount bits: 16
encrypt:
ivgen alg: plain64
hash alg: sha256
cipher alg: aes-256
uuid: ab0e3f87-35e7-40cb-9888-9fe9bb54e981
format: luks
cipher mode: xts
slots:
[0]:
active: true
iters: 115582
key offset: 4096
stripes: 4000
[1]:
active: false
key offset: 262144
[2]:
active: false
key offset: 520192
[3]:
active: false
key offset: 778240
[4]:
active: false
key offset: 1036288
[5]:
active: false
key offset: 1294336
[6]:
active: false
key offset: 1552384
[7]:
active: false
key offset: 1810432
payload offset: 2068480
master key iters: 30085
corrupt: false
- 5. Then I changed the configuration of the XML, as shown below.And re-define and start the virtual machine
- <disk type='file' device='disk'><driver name='qemu' type='qcow2'/><source file='/root/snap.qcow2'/><backingStore type='file'><format type='qcow2'/><source file='/root/enc.qcow2'/><backingStore/></backingStore><target dev='hda' bus='ide'/><encryption format='luks'><secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/></encryption><address type='drive' controller='0' bus='0' target='0' unit='0'/></disk>
Then the startup failed and an error was thrown. As shown below.
qemu-kvm: -drive file=/root/enc/vm/enc-snap.qcow2,encrypt.format=luks,encrypt.key-secret=ide0-0-0-luks-secret0,format=qcow2,if=none,id=drive-ide0-0-0: Could not open backing file: No secret with id 'sec0'
The sec0 secret id could not be found in the backing file, this is my problem.
Is there a problem with the way I implemented it, or does libvirt currently not support this?
- Any tips or help will be appreciated, Looking forward to your reply. Thank you
