From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41363)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1Us8cs-00062T-9w
	for qemu-devel@nongnu.org; Thu, 27 Jun 2013 05:36:27 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1Us8cq-0007kX-Cp
	for qemu-devel@nongnu.org; Thu, 27 Jun 2013 05:36:26 -0400
Received: from mx1.redhat.com ([209.132.183.28]:42986)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1Us8cq-0007kH-4i
	for qemu-devel@nongnu.org; Thu, 27 Jun 2013 05:36:24 -0400
Date: Thu, 27 Jun 2013 10:36:16 +0100
From: "Daniel P. Berrange" <berrange@redhat.com>
Message-ID: <20130627093616.GA2621@redhat.com>
References: <EE1A64E628992240A94E2B625745F01674FD425CB8@aplesstripe.dom1.jhuapl.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <EE1A64E628992240A94E2B625745F01674FD425CB8@aplesstripe.dom1.jhuapl.edu>
Subject: Re: [Qemu-devel] qemu-img create encryption
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Hamilton, Peter A." <Peter.Hamilton@jhuapl.edu>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>

On Wed, Jun 26, 2013 at 02:52:51PM -0400, Hamilton, Peter A. wrote:
> I've been doing some work with qemu-img and encrypted qcow2 images and have
> noticed that "qemu-img create" does not prompt for a password to encrypt new
> images, defaulting (from the documentation I've read) to the empty string as
> a password. Why does "qemu-img create" work this way?
> 
> I haven't been able to find any good, authoritative sources on this topic,
> so if anyone knows of good documentation or rationale, please let me know.

The qcow2 encryption format is very simple. The password you provide is
directly used to encrypt the data blocks. There is level on indirection
as you have with, say LUKS, whereby the user password is used to encrypt
a separate key in the file header. As such there is no need for the qcow2
encryption key to be known when creating a file, only when reading/writing
data blocks.

Using the password directly as the encryption key makes the qcow2 data
encryption very vulnerable to weak passwords. It also means you can't
change the password of an existing image - you have to create a new image
with a new password & re-encrypt the data. LUKS is a much stronger crypto
design that qcow2's built-in encryption. I'd like to see qemu gain a block
driver that could natively support the LUKS data format as a strong replacement
for qcow2's encryption approach, but there's no work in this area.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|