• Hey, guys

  • I've been working on whether libvirt supports encrypted snapshots,Here are my versions of libvirt and qemu

  • [root@xx ~]# libvirtd -V

  • libvirtd (libvirt) 4.5.0

    [root@xx ~]# qemu-img -V

    qemu-img version 2.12.0 (qemu-kvm-ev-2.12.0-33.1.el7_7.4)

    Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers

  • 1. assign $MYSECRET to libvirt secret using the secret-define and secret-set-value commands,and $MYSECRET is in base64 format

  • MYSECRET=`printf %s "123456" | base64`

  • 2. created a disk encrypted in luks format

  • qemu-img create --object secret,id=sec0,data=$MYSECRET,format=base64 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 enc.qcow2 20G

  • 3. The encrypted disk is defined in the XML configuration file, as shown below.Then I successfully started the virtual machine.

  • <disk type='file' device='disk'>

          <driver name='qemu' type='qcow2'/>

          <source file='/root/enc.qcow2'/>

           <backingStore/> 

          <target dev='hda' bus='ide'/>

          <encryption format='luks'>

            <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/>

          </encryption>

          <alias name='ide0-0-0'/>

          <address type='drive' controller='0' bus='0' target='0' unit='0'/>

      </disk>

  • 4. According to the qemu documentation, an encrypted snap.qcow2 disk was created with enc.qcow2 as backing

  • qemu-img create -f qcow2 -F qcow2 --object secret,id=sec0,data=$MYSECRET,format=base64 --object secret,id=sec1,data=$MYSECRET,format=base64 -o encrypt.format=luks,encrypt.key-secret=sec1 -b 'json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root/enc/enc.qcow2"}}' snap.qcow2

  • I used the same $MYSECRET as the password data for the disk. Here is the disk information for snap.qcow2

  • image: snap.qcow2

    file format: qcow2

    virtual size: 20G (21474836480 bytes)

    disk size: 480K

    encrypted: yes

    cluster_size: 65536

    backing file: json:{"encrypt.key-secret": "sec0", "driver": "qcow2", "file": {"driver": "file", "filename": "/root//enc.qcow2"}}

    backing file format: qcow2

    Format specific information:

        compat: 1.1

        lazy refcounts: false

        refcount bits: 16

        encrypt:

            ivgen alg: plain64

            hash alg: sha256

            cipher alg: aes-256

            uuid: ab0e3f87-35e7-40cb-9888-9fe9bb54e981

            format: luks

            cipher mode: xts

            slots:

                [0]:

                    active: true

                    iters: 115582

                    key offset: 4096

                    stripes: 4000

                [1]:

                    active: false

                    key offset: 262144

                [2]:

                    active: false

                    key offset: 520192

                [3]:

                    active: false

                    key offset: 778240

                [4]:

                    active: false

                    key offset: 1036288

                [5]:

                    active: false

                    key offset: 1294336

                [6]:

                    active: false

                    key offset: 1552384

                [7]:

                    active: false

                    key offset: 1810432

            payload offset: 2068480

            master key iters: 30085

        corrupt: false

  • 5. Then I changed the configuration of the XML, as shown below.And re-define and start the virtual machine
  • <disk type='file' device='disk'>
          <driver name='qemu' type='qcow2'/>
          <source file='/root/snap.qcow2'/>
          <backingStore type='file'>
            <format type='qcow2'/>
            <source file='/root/enc.qcow2'/>
            <backingStore/>
          </backingStore>
          <target dev='hda' bus='ide'/>
          <encryption format='luks'>
            <secret type='passphrase' uuid='694bdf38-214e-48d3-8c4c-9dbbcf0f5fa0'/>
          </encryption>
          <address type='drive' controller='0' bus='0' target='0' unit='0'/>
      </disk>
    • Then the startup failed and an error was thrown. As shown below.

    • qemu-kvm: -drive file=/root/enc/vm/enc-snap.qcow2,encrypt.format=luks,encrypt.key-secret=ide0-0-0-luks-secret0,format=qcow2,if=none,id=drive-ide0-0-0: Could not open backing file: No secret with id 'sec0'

      • The sec0 secret id could not be found in the backing file, this is my problem.

  • Is there a problem with the way I implemented it, or does libvirt currently not support this?

  • Any tips or help will be appreciated,  Looking forward to your reply. Thank you