[Qemu-devel] Can I mount encrypt qcow2?

[Qemu-devel] Can I mount encrypt qcow2?

[陳培泓]

Can I mount encrypt qcow2 file through qemu-nbd?

I tried but failed and nothing about that in man page

Re: [Qemu-devel] Can I mount encrypt qcow2?

[Daniel P. Berrange]

On Thu, Jul 20, 2017 at 10:43:53AM +0800, 陳培泓 wrote:
> Can I mount encrypt qcow2 file through qemu-nbd?

What encryption format are you referring to ?  The old AES encrypt, or the
new LUKS encrypt ? The latter is the only one people should be using, and
you can expose it with

   qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
             --image-opts driver=qcow2,file.filename=demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0

Note that 'passwd.txt' file must *not* contain a newline. eg create it
with   'echo -n 123456 > passwd.txt' - the -n flag to omit the newline

You should only do decrypt in qemu-nbd, if you are trying to interoperate
with non-QEMU tools.  If you are exposing the NBD volume to a QEMU system
emulator, you should make the NBD server expose the file as raw, and let
the  QEMU client do the decryption instead, so data over the NBD socket
is still secure.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] Can I mount encrypt qcow2?

[陳培泓]

oh~ I don't know can expose the LUKS encryption. I'm sure the older(AES)
can't be mounted by qemu-nbd.

If I encrypt by the command you recommended:

> qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
>              --image-opts driver=qcow2,file.filename=
> demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0


Supposed the encrypted file called disk_encry.qcow2
Can I mount disk_encry.qcow2 by the cmd?

> qemu-nbd -c /dev/nbd0 disk_encry.qcow2




2017-07-20 16:59 GMT+08:00 Daniel P. Berrange <berrange@redhat.com>:

> On Thu, Jul 20, 2017 at 10:43:53AM +0800, 陳培泓 wrote:
> > Can I mount encrypt qcow2 file through qemu-nbd?
>
> What encryption format are you referring to ?  The old AES encrypt, or the
> new LUKS encrypt ? The latter is the only one people should be using, and
> you can expose it with
>
>    qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
>              --image-opts driver=qcow2,file.filename=
> demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
>
> Note that 'passwd.txt' file must *not* contain a newline. eg create it
> with   'echo -n 123456 > passwd.txt' - the -n flag to omit the newline
>
> You should only do decrypt in qemu-nbd, if you are trying to interoperate
> with non-QEMU tools.  If you are exposing the NBD volume to a QEMU system
> emulator, you should make the NBD server expose the file as raw, and let
> the  QEMU client do the decryption instead, so data over the NBD socket
> is still secure.
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>

Re: [Qemu-devel] Can I mount encrypt qcow2?

[Daniel P. Berrange]

On Thu, Jul 20, 2017 at 05:07:49PM +0800, 陳培泓 wrote:
> oh~ I don't know can expose the LUKS encryption. I'm sure the older(AES)
> can't be mounted by qemu-nbd.

It can be mounted, with current git master (all the commands I show
below are for git master btw).

You should, however, *never* use the old AES format any more. It is
broken by design and not considered secure.

> If I encrypt by the command you recommended:
> 
> > qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
> >              --image-opts driver=qcow2,file.filename=
> > demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0

This *is* exposing the encrypted file -  not creating it. If you
want to connect to a host nbd device then you use the command
above, with the -c arg

$ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
           -c /dev/nbd0 \
           --image-opts driver=qcow2,file.filename=demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0


If you have a legacy AES qcow2 file the syntax is very similar

$ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
           -c /dev/nbd0 \
           --image-opts driver=qcow2,file.filename=demo.qcow2,encrypt.format=aes,encrypt.key-secret=sec0

Note we just changed the encrypt.format parameter there.


To actually create an encrypted file in the first place you need the
qemu-img command

$ qemu-img create --object secret,id=sec0,file=passwd.txt,format=raw \
           -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 \
	   demo.qcow2 1G
  

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] Can I mount encrypt qcow2?

[陳培泓]

I re-build qemu from the https://github.com/qemu/qemu, and it didn't show
any errors.

I tried the cmd you suggested below:

> qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
>            -c /dev/nbd0 \
>            --image-opts driver=qcow2,file.filename=
> demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0

but it shows unrecognized option '--object '
why?I missed to install something?

2017-07-20 17:12 GMT+08:00 Daniel P. Berrange <berrange@redhat.com>:

> On Thu, Jul 20, 2017 at 05:07:49PM +0800, 陳培泓 wrote:
> > oh~ I don't know can expose the LUKS encryption. I'm sure the older(AES)
> > can't be mounted by qemu-nbd.
>
> It can be mounted, with current git master (all the commands I show
> below are for git master btw).
>
> You should, however, *never* use the old AES format any more. It is
> broken by design and not considered secure.
>
> > If I encrypt by the command you recommended:
> >
> > > qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
> > >              --image-opts driver=qcow2,file.filename=
> > > demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
>
> This *is* exposing the encrypted file -  not creating it. If you
> want to connect to a host nbd device then you use the command
> above, with the -c arg
>
> $ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
>            -c /dev/nbd0 \
>            --image-opts driver=qcow2,file.filename=
> demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
>
>
> If you have a legacy AES qcow2 file the syntax is very similar
>
> $ qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
>            -c /dev/nbd0 \
>            --image-opts driver=qcow2,file.filename=
> demo.qcow2,encrypt.format=aes,encrypt.key-secret=sec0
>
> Note we just changed the encrypt.format parameter there.
>
>
> To actually create an encrypted file in the first place you need the
> qemu-img command
>
> $ qemu-img create --object secret,id=sec0,file=passwd.txt,format=raw \
>            -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 \
>            demo.qcow2 1G
>
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>

Re: [Qemu-devel] Can I mount encrypt qcow2?

[Daniel P. Berrange]

On Fri, Jul 21, 2017 at 09:44:33AM +0800, 陳培泓 wrote:
> I re-build qemu from the https://github.com/qemu/qemu, and it didn't show
> any errors.
> 
> I tried the cmd you suggested below:
> 
> > qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
> >            -c /dev/nbd0 \
> >            --image-opts driver=qcow2,file.filename=
> > demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
> 
> but it shows unrecognized option '--object '
> why?I missed to install something?

Sounds like you're not running the binaries you just built


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] Can I mount encrypt qcow2?

[陳培泓]

It works after I replace the /usr/bin/qemu-nbd with binary I built.

My cmd is :

> qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
>              --image-opts driver=qcow2,file.filename=
> demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0


But I got other message:

> Block format 'qcow2' does not support the option 'encrypt.format'


Maybe it doen't support yet?

2017-07-21 16:38 GMT+08:00 Daniel P. Berrange <berrange@redhat.com>:

> On Fri, Jul 21, 2017 at 09:44:33AM +0800, 陳培泓 wrote:
> > I re-build qemu from the https://github.com/qemu/qemu, and it didn't
> show
> > any errors.
> >
> > I tried the cmd you suggested below:
> >
> > > qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
> > >            -c /dev/nbd0 \
> > >            --image-opts driver=qcow2,file.filename=
> > > demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
> >
> > but it shows unrecognized option '--object '
> > why?I missed to install something?
>
> Sounds like you're not running the binaries you just built
>
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>

Re: [Qemu-devel] Can I mount encrypt qcow2?

[Daniel P. Berrange]

On Fri, Jul 21, 2017 at 05:31:04PM +0800, 陳培泓 wrote:
> It works after I replace the /usr/bin/qemu-nbd with binary I built.
> 
> My cmd is :
> 
> > qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
> >              --image-opts driver=qcow2,file.filename=
> > demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
> 
> 
> But I got other message:
> 
> > Block format 'qcow2' does not support the option 'encrypt.format'
> 
> 
> Maybe it doen't support yet?

It is supported. I think you're git checkout is not fully updated.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] Can I mount encrypt qcow2?

[陳培泓]

oh Maybe the version is something wrong?

qemu-img -V

> qemu-img version 2.9.0


qemu-nbd -V

> qemu-nbd version 0.0.1


They're not correspondent?

2017-07-21 17:34 GMT+08:00 Daniel P. Berrange <berrange@redhat.com>:

> On Fri, Jul 21, 2017 at 05:31:04PM +0800, 陳培泓 wrote:
> > It works after I replace the /usr/bin/qemu-nbd with binary I built.
> >
> > My cmd is :
> >
> > > qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
> > >              --image-opts driver=qcow2,file.filename=
> > > demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0
> >
> >
> > But I got other message:
> >
> > > Block format 'qcow2' does not support the option 'encrypt.format'
> >
> >
> > Maybe it doen't support yet?
>
> It is supported. I think you're git checkout is not fully updated.
>
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>

Re: [Qemu-devel] Can I mount encrypt qcow2?

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 525 bytes --]

[please don't top-post on technical lists]

On 07/21/2017 04:41 AM, 陳培泓 wrote:
> oh Maybe the version is something wrong?
> 
> qemu-img -V
> 
>> qemu-img version 2.9.0
> 
> 
> qemu-nbd -V
> 
>> qemu-nbd version 0.0.1
> 
> 
> They're not correspondent?

Not currently, although patches are welcome (qemu-img and qemu-io share
versions, so qemu-nbd is the only oddball)

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 619 bytes --]

Re: [Qemu-devel] Can I mount encrypt qcow2?

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 980 bytes --]

On 07/21/2017 07:18 AM, Eric Blake wrote:
> [please don't top-post on technical lists]
> 
> On 07/21/2017 04:41 AM, 陳培泓 wrote:
>> oh Maybe the version is something wrong?
>>
>> qemu-img -V
>>
>>> qemu-img version 2.9.0
>>
>>
>> qemu-nbd -V
>>
>>> qemu-nbd version 0.0.1
>>
>>
>> They're not correspondent?
> 
> Not currently, although patches are welcome (qemu-img and qemu-io share
> versions, so qemu-nbd is the only oddball)

Oops, looks like 'git send-email' doesn't know how to auto-cc
'Reported-by:' tags.  I meant to include you on my proposed patch:
https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg06931.html

Hmm, I wonder if scripts/get_maintainer.pl can be enhanced to scrape
commit messages for additional addresses to cc (sadly, my perl is not
strong enough for me to volunteer for the task)

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 619 bytes --]

Re: [Qemu-devel] Can I mount encrypt qcow2?

[Daniel P. Berrange]

On Fri, Jul 21, 2017 at 09:05:21AM -0500, Eric Blake wrote:
> On 07/21/2017 07:18 AM, Eric Blake wrote:
> > [please don't top-post on technical lists]
> > 
> > On 07/21/2017 04:41 AM, 陳培泓 wrote:
> >> oh Maybe the version is something wrong?
> >>
> >> qemu-img -V
> >>
> >>> qemu-img version 2.9.0
> >>
> >>
> >> qemu-nbd -V
> >>
> >>> qemu-nbd version 0.0.1
> >>
> >>
> >> They're not correspondent?
> > 
> > Not currently, although patches are welcome (qemu-img and qemu-io share
> > versions, so qemu-nbd is the only oddball)
> 
> Oops, looks like 'git send-email' doesn't know how to auto-cc
> 'Reported-by:' tags.

That's something that's bugged me too - someone should write a patch for
git :-)


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] Can I mount encrypt qcow2?

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 426 bytes --]

On 07/21/2017 09:06 AM, Daniel P. Berrange wrote:
>> Oops, looks like 'git send-email' doesn't know how to auto-cc
>> 'Reported-by:' tags.
> 
> That's something that's bugged me too - someone should write a patch for
> git :-)

Attempted:
http://marc.info/?l=git&m=150064653516706&w=2

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 619 bytes --]

Re: [Qemu-devel] Can I mount encrypt qcow2?

[陳培泓]

[-- Attachment #1: Type: text/plain, Size: 870 bytes --]

I check to the newest version of qemu.

and do the cmds to install followed by the documents in github:

> mkdir build
> cd build
> ../configure
> make


and it show nothing errors​
It's the version when I enter qemu-img --help:

and I execute encrypt format(luks) to the qcow2 file:

​
always shows the error, how to solve it?​

2017-07-21 22:18 GMT+08:00 Eric Blake <eblake@redhat.com>:

> On 07/21/2017 09:06 AM, Daniel P. Berrange wrote:
> >> Oops, looks like 'git send-email' doesn't know how to auto-cc
> >> 'Reported-by:' tags.
> >
> > That's something that's bugged me too - someone should write a patch for
> > git :-)
>
> Attempted:
> http://marc.info/?l=git&m=150064653516706&w=2
>
> --
> Eric Blake, Principal Software Engineer
> Red Hat, Inc.           +1-919-301-3266
> Virtualization:  qemu.org | libvirt.org
>
>

[-- Attachment #2: nbd.png --]
[-- Type: image/png, Size: 26481 bytes --]

[-- Attachment #3: git.png --]
[-- Type: image/png, Size: 56146 bytes --]

[-- Attachment #4: version.png --]
[-- Type: image/png, Size: 22774 bytes --]

Re: [Qemu-devel] Can I mount encrypt qcow2?

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 1404 bytes --]

On 07/23/2017 08:49 PM, 陳培泓 wrote:
> I check to the newest version of qemu.

You're still top-posting, which makes it really hard to answer your
questions.

> 
> and do the cmds to install followed by the documents in github:
> 
>> mkdir build
>> cd build
>> ../configure
>> make
> 
> 
> and it show nothing errors​
> It's the version when I enter qemu-img --help:
> 
> and I execute encrypt format(luks) to the qcow2 file:
> 
> ​

Attaching inline images is a horrible waste of bandwidth, compared to
copying-and-pasting the terminal text directly.  Furthermore, your email
is illegible in a plain-text client (like what I prefer to use), and
requires that I switch to html view to even understand what you are asking.

> always shows the error, how to solve it?​

Transcribing one of your images:

> pahome@pahome-QW09:~/git/qemu/build$ ./qemu-img --help
> qemu-img version 2.9.0 (v2.9.0-dirty)

You aren't building the latest version of qemu.git.  If you were, you'd
be getting something like this:

$ ./qemu-img --help | head -n1
qemu-img version 2.9.50 (v2.9.0-2519-gb52f59694d)

Before you can complain that something recently added isn't working, you
first have to make sure you are building the right version.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 619 bytes --]

Re: [Qemu-devel] Can I mount encrypt qcow2?

[lampahome]

I thought 2.9.0 is the latest and check to the wrong commit.
Now it supports encryption.

My cmd is:

> qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
>              --image-opts
> driver=qcow2,file.filename=demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0

But it shows error message:

> No encryption in image header, but options specified format 'luks'

Something wrong?

My procedure is below:
1. create a clean demo.qcow2 image(no compression, no encryption)
2. use the cmd above to encrypt the demo.qcow2 image

2017-07-24 20:25 GMT+08:00 Eric Blake <eblake@redhat.com>:

> On 07/23/2017 08:49 PM, 陳培泓 wrote:
> > I check to the newest version of qemu.
>
> You're still top-posting, which makes it really hard to answer your
> questions.
>
> >
> > and do the cmds to install followed by the documents in github:
> >
> >> mkdir build
> >> cd build
> >> ../configure
> >> make
> >
> >
> > and it show nothing errors​
> > It's the version when I enter qemu-img --help:
> >
> > and I execute encrypt format(luks) to the qcow2 file:
> >
> > ​
>
> Attaching inline images is a horrible waste of bandwidth, compared to
> copying-and-pasting the terminal text directly.  Furthermore, your email
> is illegible in a plain-text client (like what I prefer to use), and
> requires that I switch to html view to even understand what you are asking.
>
> > always shows the error, how to solve it?​
>
> Transcribing one of your images:
>
> > pahome@pahome-QW09:~/git/qemu/build$ ./qemu-img --help
> > qemu-img version 2.9.0 (v2.9.0-dirty)
>
> You aren't building the latest version of qemu.git.  If you were, you'd
> be getting something like this:
>
> $ ./qemu-img --help | head -n1
> qemu-img version 2.9.50 (v2.9.0-2519-gb52f59694d)
>
> Before you can complain that something recently added isn't working, you
> first have to make sure you are building the right version.
>
> --
> Eric Blake, Principal Software Engineer
> Red Hat, Inc.           +1-919-301-3266
> Virtualization:  qemu.org | libvirt.org
>
>

Re: [Qemu-devel] Can I mount encrypt qcow2?

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 1548 bytes --]

On 07/24/2017 11:26 PM, lampahome wrote:
> I thought 2.9.0 is the latest and check to the wrong commit.

You're still top-posting, even after being told not to:
http://www.caliburn.nl/topposting.html

> Now it supports encryption.
> 
> My cmd is:
> 
>> qemu-nbd --object secret,id=sec0,file=passwd.txt,format=raw \
>>              --image-opts
>> driver=qcow2,file.filename=demo.qcow2,encrypt.format=luks,encrypt.key-secret=sec0

This says to open an existing already-encrypted image...

> 
> But it shows error message:
> 
>> No encryption in image header, but options specified format 'luks'

...and this says your image was not already encrypted.

> 
> Something wrong?
> 
> My procedure is below:
> 1. create a clean demo.qcow2 image(no compression, no encryption)
> 2. use the cmd above to encrypt the demo.qcow2 image

Indeed, if you want an encrypted image, you must create it encrypted up
front (you can't do an in-place encryption after the fact).  qemu-img
convert is probably the easiest way to copy a non-encrypted image to a
newly-created encrypted image.

> 
> 2017-07-24 20:25 GMT+08:00 Eric Blake <eblake@redhat.com>:
> 
>> On 07/23/2017 08:49 PM, 陳培泓 wrote:
>>> I check to the newest version of qemu.
>>
>> You're still top-posting, which makes it really hard to answer your
>> questions.

Here's where I previously asked you to avoid top-posting.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 619 bytes --]