[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 0/9] Add support for (qcow*) volume encryption



Hello,
the following patches add full support for qcow/qcow2 volume encryption,
assuming a client that supports it.

New XML tags are defined to represent encryption parameters (currently
format and passphrase, more can be added in the future), e.g.
    <encryption format='qcow'>
        <passphrase>c2lsbHk=</passphrase>
    </encryption>
(passphrase content uses base64)

The <encryption> tag can be added to a <volume> node passed to
virStorageVolCreateXML() to create an encrypted volume, or to a
<disk> node inside a <domain> to specify what encryption parameters to
use for a domain.  If the domain is persistent, the parameters
(including the passphrase) will be saved unencrypted in /etc/libvirtd;
the primary use case is to store the parameters outside of libvirtd,
(perhaps by virt-manager in a GNOME keyring).

Possible enhancements:
- Documentation and test cases.  I'll write both if the code is acceptable,
  I wanted to make the code available for review first.
- Support for "dumb" clients that don't know anything about encryption
  formats and the required parameters: adding an encryption format to libvirt
  would automatically make it supported in all clients.

  Such a client would only request that a volume should be created when
  creating it, and libvirt would choose an appropriate format, parameters
  and passphrase/key and return it to the client, who could later pass it
  unmodified inside a <domain>.

  This requires public API additions to let libvirt return the encryption
  information as one of the results of a volume creation operation.
- Support for storing the passphrases/keys used by persistent domains
  outside of the main XML files, e.g. in a separate passphrase-encrypted
  file that must be entered on libvirtd startup.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]