Re: [Qemu-devel] Adding dmcrypt to QEMU block drivers

[Markus Armbruster <armbru@redhat.com>]

Cc'ing a few interested parties.

"Hamilton, Peter A." <Peter.Hamilton@jhuapl.edu> writes:

> Hi qemu-devel,
>
> I am a member of a development team based out of the Johns Hopkins
> University Applied Physics Laboratory. Over the past year and a half,
> we've been working with the OpenStack community on several security
> features for their Compute and Block Storage services that leverage
> encrypted data storage. One of these features, ephemeral storage
> encryption for qcow2-based virtual machines, would leverage the
> encryption functionality built into the qcow2 file format. However,
> there are significant issues with the security and implementation of
> the qcow2 encryption feature that preclude us from using it in
> OpenStack. For example, there is no support for the following security
> features: rekeying of encrypted images, key stretching, and cipher
> configurability.

I think most, if not all of us would agree that the existing encryption
support in QEMU is fertilizer.

> After discussing some of these details with Daniel Berrange, we are
> interested in working with you to add and improve the encryption
> support offered by QEMU. In the past, Daniel has advocated the full
> adaptation of the LUKS file format used by dmcrypt, which we currently
> use in OpenStack. Our proposal would focus on adding a dmcrypt-style
> encryption layer above the QEMU block driver layer, which would
> transparently encrypt and decrypt all data written to or read from the
> underlying block device. This would provide encryption support for all
> backends and file formats supported by QEMU that leverage block
> drivers. Such support in QEMU provides significantly improved security
> and renders the existing encryption scheme provided by qcow2 obsolete.
>
> My intent at the moment is to get a feel for your thoughts and
> concerns about this proposal and to determine who is currently working
> on QEMU security features or would be interested in working with us on
> this feature. I've found past discussions in the QEMU community
> addressing these encryption concerns but am unaware at the moment what
> the status is for those development efforts. I'd be happy to provide
> additional information about our past and current work on OpenStack
> security if anyone is interested.

As far as I know, nobody is working on block device encryption in QEMU
at this time.

The block layer is maintained by Kevin and Stefan (both cc'ed).

They, Eric and myself can assist you with interfaces.

[...]