Re: [Qemu-devel] QCOW2 cryptography and secure key handling

["Daniel P. Berrange" <berrange@redhat.com>]

On Tue, Jul 23, 2013 at 05:22:47PM +0200, Stefan Hajnoczi wrote:
> On Tue, Jul 23, 2013 at 04:40:34PM +0200, Benoît Canet wrote:
> > > More generally, QCow2's current encryption support is woefully inadequate
> > > from a design POV. If we wanted better encryption built-in to QEMU it is
> > > best to just deprecate the current encryption support and define a new
> > > qcow2 extension based around something like the LUKS data format. Using
> > > the LUKS data format precisely would be good from a data portability
> > > POV, since then you can easily switch your images between LUKS encrypted
> > > block device & qcow2-with-luks image file, without needing to re-encrypt
> > > the data.
> > 
> > I read the LUKS specification and undestood enough part of it to understand the
> > potentials benefits (stronger encryption key, multiple user keys, possibility to
> > change users keys).
> > 
> > Kevin & Stefan: What do you think about implementing LUKS in QCOW2 ?
> 
> Using standard or proven approachs in crypto is a good thing.  I haven't
> looked at qcow2 encryption in the past because fairly few people
> actually use it.
> 
> One use-case I have heard about is qcow2 files over NFS.  The network
> and the storage system should not see guest data.  Only the host and the
> VM should see the data.

Yep, that is the core usecase. You are securing the system such that
only the VM host administrator/processes can compromise the data. It
is protected against malicious storage and/or network administrators.

> A big win with LUKS is that you can change the passphrase without
> re-encrypting the data.

Other benefits of LUKs are

 - Strong encryption key, even if the passphrase itself is weak
 - Support for multiple passphrases
 - Support for arbitrary different encryption algorithms / settings
 - Ability to detect whether the passphrase is correct or not rather
   than just decrypting to produce garbage

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|