From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Hajnoczi Subject: Re: encryption Date: Wed, 18 Feb 2015 11:03:51 +0000 Message-ID: <20150218110351.GB7629@stefanha-thinkpad.redhat.com> References: <54E22688.2050002@reventix.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="xgyAXRrhYN0wYx8y" Cc: kvm@vger.kernel.org To: Henry Noack Return-path: Received: from mail-wi0-f179.google.com ([209.85.212.179]:56900 "EHLO mail-wi0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750886AbbBRLDz (ORCPT ); Wed, 18 Feb 2015 06:03:55 -0500 Received: by mail-wi0-f179.google.com with SMTP id hi2so1307046wib.0 for ; Wed, 18 Feb 2015 03:03:54 -0800 (PST) Content-Disposition: inline In-Reply-To: <54E22688.2050002@reventix.de> Sender: kvm-owner@vger.kernel.org List-ID: --xgyAXRrhYN0wYx8y Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Feb 16, 2015 at 06:19:04PM +0100, Henry Noack wrote: > it is possible to decrypt a kvm volume only by using the command line after > starting it? Encryption can be done at 3 levels: 1. Inside the guest. Just like you do on a physical machine with LUKS (dm-crypt), ecryptfs, TrueCrypt, etc. 2. In QEMU with qcow2, although this feature is not widely used and not up to modern disk encryption standards. 3. On the host using LUKS (dm-crypt), ecryptfs, TrueCrypt, etc or on the storage appliance. It depends what you are trying to achieve. Keep in mind that encrypting the disk image does not stop the host from seeing inside the guest. The host is always trusted, today's virtualization technology has this limitation. Stefan --xgyAXRrhYN0wYx8y Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJU5HGXAAoJEJykq7OBq3PI0nYH/1w7XCqIgDaf8T4e1giUh1RQ C/NxIhTIWsgpGoDg2wHyVXukeh5eGkJrLfZkNJaeGAFJMaswabce7Xr9J2F1ISP3 xJJu9STIoFYsqOxTQly2jCfd1BJhXEzclKfV6l9SJz5UWncgu1BVZC0T8Fe3Qyj7 6RqYotUbIJJtYEq0sQ4qR64WcX77NNkcTx8+eKelt/lGonOZWhMzNVckMoS8WoH3 6j5isIkB7dJSCI1harpds+rHfHadGts4HV2lOP082YoFdIPCt5NpGlUZrPPTauH7 niStpK6buZu470kL0hZULNLltgh83uDF/EcCh9T+IVB9B6rtMmFUCy6kJtcOjng= =SECp -----END PGP SIGNATURE----- --xgyAXRrhYN0wYx8y--