From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57743)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1YVdav-0006Kz-T7
	for qemu-devel@nongnu.org; Wed, 11 Mar 2015 06:10:33 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1YVdar-0005JN-7b
	for qemu-devel@nongnu.org; Wed, 11 Mar 2015 06:10:29 -0400
Date: Wed, 11 Mar 2015 11:10:16 +0100
From: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20150311101016.GA6628@noname.str.redhat.com>
References: <1426008400-22016-1-git-send-email-armbru@redhat.com>
	<20150310181337.GG14255@redhat.com>
	<87pp8frk0b.fsf@blackfin.pond.sub.org>
	<20150311095926.GC22609@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20150311095926.GC22609@redhat.com>
Subject: Re: [Qemu-devel] [PATCH RFC 0/2] Limit support for encrypted images
 to qemu-img
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: kraxel@redhat.com, stefanha@redhat.com, Markus Armbruster <armbru@redhat.com>, qemu-block@nongnu.org, qemu-devel@nongnu.org

Am 11.03.2015 um 10:59 hat Daniel P. Berrange geschrieben:
> On Wed, Mar 11, 2015 at 09:55:16AM +0100, Markus Armbruster wrote:
> > "Daniel P. Berrange" <berrange@redhat.com> writes:
> > > FWIW, I could see an improved interaction scheme working as follows
> > >
> > > First, introduce a new monitor command for setting named passwords,
> > >
> > >     add_key mykey1 SECRETDATA
> > >
> > > Now, extend the blockdev_add so that you can provide key names
> > > by adding
> > >
> > >     'keyname': 'mykey1'
> > >
> > > as a parameter in the json args.
> > 
> > Can you explain why that's better than sticking 'key': SECRETDATA right
> > into blockdev-add's arguments?
> 
> Just have a small preference to keep passwords separated from the
> rest of the data, so when logging the stuff for debug purposes we
> don't compromise people's passwords quite so readily.

Indeed, it would be very easy for a password to end up in error
messages, or in json: "filenames" that might be used in query-block
replies or in a backing file path. BDS options should be considered
more or less public.

> It is more
> straightforward for us to mask out the passwords if we can just
> match on the command name, and not have to try to grok the specific
> field in a large set of args.  Also in terms of cold startup, it
> is not desirable to have the password directly included in the
> args to -drive or equiv, as that's visible in process listings.

Right, that too.

Kevin