diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 22ef81052d..713d7aa88a 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -2974,6 +2974,10 @@ See the Storage Encryption page for more information. +
+ Note that the 'qcow' format of encryption is broken and thus is no + longer supported for use with disk images. + (Since libvirt 4.5.0)reservations
qcow
format specifies that the built-in encryption
support in qcow
- or qcow2
-formatted volume
images should be used. A single
- <secret type='passphrase'>
element is expected. If
- the secret
element is not present during volume creation,
- a secret is automatically generated and attached to the volume.
+ <secret type='passphrase'>
element is expected. Note
+ that this encryption is inherently broken and should not be used any more.
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 2792fa7569..96793a5046 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -4483,6 +4483,16 @@ qemuDomainValidateStorageSource(virStorageSourcePtr src,
return -1;
}
+ if ((src->format == VIR_STORAGE_FILE_QCOW ||
+ src->format == VIR_STORAGE_FILE_QCOW2) &&
+ src->encryption &&
+ (src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT ||
+ src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_QCOW)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("old qcow/qcow2 encryption is not supported"));
+ return -1;
+ }
+
if (src->format == VIR_STORAGE_FILE_QCOW2 &&
src->encryption &&
src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS &&
diff --git a/tests/qemuxml2argvdata/encrypted-disk-usage.args b/tests/qemuxml2argvdata/encrypted-disk-usage.args
index 8c7ce3d653..32307cea71 100644
--- a/tests/qemuxml2argvdata/encrypted-disk-usage.args
+++ b/tests/qemuxml2argvdata/encrypted-disk-usage.args
@@ -7,6 +7,8 @@ QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-i686 \
-name encryptdisk \
-S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-encryptdisk/master-key.aes \
-machine pc,accel=tcg,usb=off,dump-guest-core=off \
-m 1024 \
-smp 1,sockets=1,cores=1,threads=1 \
@@ -22,7 +24,11 @@ path=/tmp/lib/domain--1-encryptdisk/monitor.sock,server,nowait \
-no-acpi \
-boot c \
-usb \
--drive file=/storage/guest_disks/encryptdisk,format=qcow2,if=none,\
+-object secret,id=virtio-disk0-luks-secret0,\
+data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+-drive file=/storage/guest_disks/encryptdisk,encrypt.format=luks,\
+encrypt.key-secret=virtio-disk0-luks-secret0,format=qcow2,if=none,\
id=drive-virtio-disk0 \
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
id=virtio-disk0 \
diff --git a/tests/qemuxml2argvdata/encrypted-disk-usage.xml b/tests/qemuxml2argvdata/encrypted-disk-usage.xml
index ad8f17e3df..205283b59d 100644
--- a/tests/qemuxml2argvdata/encrypted-disk-usage.xml
+++ b/tests/qemuxml2argvdata/encrypted-disk-usage.xml
@@ -18,7 +18,7 @@