[Qemu-devel] qemu-img create encryption

[Qemu-devel] qemu-img create encryption

[Hamilton, Peter A.]

[-- Attachment #1: Type: text/plain, Size: 466 bytes --]

I've been doing some work with qemu-img and encrypted qcow2 images and have
noticed that "qemu-img create" does not prompt for a password to encrypt new
images, defaulting (from the documentation I've read) to the empty string as
a password. Why does "qemu-img create" work this way?

I haven't been able to find any good, authoritative sources on this topic,
so if anyone knows of good documentation or rationale, please let me know.

Thanks in advance,
Peter H.



[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 4622 bytes --]

Re: [Qemu-devel] qemu-img create encryption

[Markus Armbruster]

"Hamilton, Peter A." <Peter.Hamilton@jhuapl.edu> writes:

> I've been doing some work with qemu-img and encrypted qcow2 images and have
> noticed that "qemu-img create" does not prompt for a password to encrypt new
> images, defaulting (from the documentation I've read) to the empty string as
> a password. Why does "qemu-img create" work this way?
>
> I haven't been able to find any good, authoritative sources on this topic,
> so if anyone knows of good documentation or rationale, please let me know.

No answer to your question (sorry), but here goes anyway: in my opinion,
the QCOW2 encryption feature is amateur encryption, which should not be
used for anything worth encrypting in the first place.

Re: [Qemu-devel] qemu-img create encryption

[Daniel P. Berrange]

On Wed, Jun 26, 2013 at 02:52:51PM -0400, Hamilton, Peter A. wrote:
> I've been doing some work with qemu-img and encrypted qcow2 images and have
> noticed that "qemu-img create" does not prompt for a password to encrypt new
> images, defaulting (from the documentation I've read) to the empty string as
> a password. Why does "qemu-img create" work this way?
> 
> I haven't been able to find any good, authoritative sources on this topic,
> so if anyone knows of good documentation or rationale, please let me know.

The qcow2 encryption format is very simple. The password you provide is
directly used to encrypt the data blocks. There is level on indirection
as you have with, say LUKS, whereby the user password is used to encrypt
a separate key in the file header. As such there is no need for the qcow2
encryption key to be known when creating a file, only when reading/writing
data blocks.

Using the password directly as the encryption key makes the qcow2 data
encryption very vulnerable to weak passwords. It also means you can't
change the password of an existing image - you have to create a new image
with a new password & re-encrypt the data. LUKS is a much stronger crypto
design that qcow2's built-in encryption. I'd like to see qemu gain a block
driver that could natively support the LUKS data format as a strong replacement
for qcow2's encryption approach, but there's no work in this area.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

Re: [Qemu-devel] qemu-img create encryption

[Hamilton, Peter A.]

[-- Attachment #1: Type: text/plain, Size: 2612 bytes --]

> It also means you can't change the password of an existing image - you have 
> to create a new image with a new password & re-encrypt the data.

Following up on this point, since "qemu-img create" cannot be used to specify 
a password, is "qemu-img convert" the only command that can be used to provide 
one? Furthermore, since "convert" conducts a full copy of the source image, 
does this mean that it is not possible to have an encrypted CoW image with an 
encrypted backing file, where each is encrypted with a different password? The 
tests I have conducted up to this point seem to indicate that this is true.

Thanks,
Peter



-----Original Message-----
From: Daniel P. Berrange [mailto:berrange@redhat.com]
Sent: Thursday, June 27, 2013 5:36 AM
To: Hamilton, Peter A.
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] qemu-img create encryption

On Wed, Jun 26, 2013 at 02:52:51PM -0400, Hamilton, Peter A. wrote:
> I've been doing some work with qemu-img and encrypted qcow2 images and
> have noticed that "qemu-img create" does not prompt for a password to
> encrypt new images, defaulting (from the documentation I've read) to
> the empty string as a password. Why does "qemu-img create" work this way?
>
> I haven't been able to find any good, authoritative sources on this
> topic, so if anyone knows of good documentation or rationale, please let me 
> know.

The qcow2 encryption format is very simple. The password you provide is 
directly used to encrypt the data blocks. There is level on indirection as you 
have with, say LUKS, whereby the user password is used to encrypt a separate 
key in the file header. As such there is no need for the qcow2 encryption key 
to be known when creating a file, only when reading/writing data blocks.

Using the password directly as the encryption key makes the qcow2 data 
encryption very vulnerable to weak passwords. It also means you can't change 
the password of an existing image - you have to create a new image with a new 
password & re-encrypt the data. LUKS is a much stronger crypto design that 
qcow2's built-in encryption. I'd like to see qemu gain a block driver that 
could natively support the LUKS data format as a strong replacement for 
qcow2's encryption approach, but there's no work in this area.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 4622 bytes --]

Re: [Qemu-devel] qemu-img create encryption

[Daniel P. Berrange]

On Thu, Jun 27, 2013 at 08:05:38AM -0400, Hamilton, Peter A. wrote:
> > It also means you can't change the password of an existing image - you have 
> > to create a new image with a new password & re-encrypt the data.
> 
> Following up on this point, since "qemu-img create" cannot be used to specify 
> a password, is "qemu-img convert" the only command that can be used to provide 

Any command which actually reads/writes data will take a password. So, yes,
I'd expect 'convert' to ask for one.

> one? Furthermore, since "convert" conducts a full copy of the source image, 
> does this mean that it is not possible to have an encrypted CoW image with an 
> encrypted backing file, where each is encrypted with a different password? The 
> tests I have conducted up to this point seem to indicate that this is true.

I'm honestly not too sure about the status of encryption wrt backing stores.
I wouldn't surprise me if you needed to use the same password for both the
top & lower level backing files. Equally though, there's no technical reason
why this should be required - just an impl limitation, if true.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|