From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60150) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1V1cUq-00065V-Oc for qemu-devel@nongnu.org; Tue, 23 Jul 2013 09:19:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1V1cUo-00051U-77 for qemu-devel@nongnu.org; Tue, 23 Jul 2013 09:19:20 -0400 Received: from nodalink.pck.nerim.net ([62.212.105.220]:47477 helo=paradis.irqsave.net) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1V1cUn-00051B-UT for qemu-devel@nongnu.org; Tue, 23 Jul 2013 09:19:18 -0400 Date: Tue, 23 Jul 2013 15:21:04 +0200 From: =?iso-8859-1?Q?Beno=EEt?= Canet Message-ID: <20130723132104.GC5002@irqsave.net> References: <20130723124706.GB5002@irqsave.net> <20130723130053.GW2477@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <20130723130053.GW2477@redhat.com> Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] QCOW2 cryptography and secure key handling List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: =?iso-8859-1?Q?Beno=EEt?= Canet , kwolf@redhat.com, qemu-devel@nongnu.org, stefanha@redhat.com > > Do you (the block maintainers) have an idea on how the code could be = improved > > to securely pass the crypto key to the QCOW2 code ? >=20 > More generally, QCow2's current encryption support is woefully inadequa= te > from a design POV. If we wanted better encryption built-in to QEMU it i= s > best to just deprecate the current encryption support and define a new > qcow2 extension based around something like the LUKS data format. Using > the LUKS data format precisely would be good from a data portability > POV, since then you can easily switch your images between LUKS encrypte= d > block device & qcow2-with-luks image file, without needing to re-encryp= t > the data. Thanks I will read the LUKS specification. Best regards Beno=EEt