The newly added luks-any rbd encryption format in qemu allows for opening both LUKS and LUKS2 encryption formats. This commit enables libvirt uses to use this wildcard format. Signed-off-by: Or Ozeri <oro@il.ibm.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
6.8 KiB
Storage volume encryption XML format
Storage volume encryption XML
Storage volumes may be encrypted, the XML snippet described below is used to represent the details of the encryption. It can be used as a part of a domain or storage configuration.
The top-level tag of volume encryption specification is encryption
, with a mandatory attribute format
. Currently defined values of format
are default
, qcow
, luks
, and luks2
. Each value of format
implies some expectations about the content of the encryption
tag. Other format values may be defined in the future.
The encryption
tag supports an optional engine
tag, which allows selecting which component actually handles the encryption. Currently defined values of engine
are qemu
and librbd
. Both qemu
and librbd
require using the qemu driver. The librbd
engine requires qemu version >= 6.1.0, both ceph cluster and librbd1 >= 16.1.0, and is only applicable for RBD network disks. If the engine tag is not specified, the qemu
engine will be used by default (assuming the qemu driver is used). Note that librbd
engine is currently only supported by the qemu VM driver, and is not supported by the storage driver. Furthermore, the storage driver currently ignores the engine
tag. since 9.3.0 RBD layered encryption is supported. Layered encryption requires a secret per each encrypted layer. The first secret corresponds to the (child) image itself, the second secret to the parent image, and so forth.
The encryption
tag can currently contain a sequence of secret
tags, each with mandatory attributes type
and either uuid
or usage
( since 2.1.0 ). The only currently defined value of type
is volume
. The uuid
is "uuid" of the secret
while usage
is the "usage" subelement field. A secret value can be set in libvirt by the virSecretSetValue API. Alternatively, if supported by the particular volume format and driver, automatically generate a secret value at the time of volume creation, and store it using the specified uuid
.
qcow
format
Since 4.5.0, encryption formats default
and qcow
may no longer be used to create an encrypted volume. Usage of qcow encrypted volumes in QEMU began phasing out in QEMU 2.3 and by QEMU 2.9 creation of a qcow encrypted volume via qemu-img required usage of secret objects, but that support was not added to libvirt.
luks
format
The luks
format is specific to a luks encrypted volume and the secret is used in order to either encrypt during volume creation or decrypt the volume for usage by the domain. A single <secret type='passphrase'...>
element is expected (except for the case of RBD layered encryption mentioned above). Since 2.1.0 .
For volume creation, it is possible to specify the encryption algorithm used to encrypt the luks volume. The following two optional elements may be provided for that purpose. It is hypervisor dependent as to which algorithms are supported. The default algorithm used by the storage driver backend when using qemu-img to create the volume is 'aes-256-cbc' using 'essiv' for initialization vector generation and 'sha256' hash algorithm for both the cipher and the initialization vector generation.
cipher
This element describes the cipher algorithm to be used to either encrypt or decrypt the luks volume. This element has the following attributes:
name
The name of the cipher algorithm used for data encryption, such as 'aes', 'des', 'cast5', 'serpent', 'twofish', etc. Support of the specific algorithm is storage driver implementation dependent.
size
The size of the cipher in bits, such as '256', '192', '128', etc. Support of the specific size for a specific cipher is hypervisor dependent.
mode
An optional cipher algorithm mode such as 'cbc', 'xts', 'ecb', etc. Support of the specific cipher mode is hypervisor dependent.
hash
An optional master key hash algorithm such as 'md5', 'sha1', 'sha256', etc. Support of the specific hash algorithm is hypervisor dependent.
ivgen
This optional element describes the initialization vector generation algorithm used in conjunction with the
cipher
. If thecipher
is not provided, then an error will be generated by the parser.name
The name of the algorithm, such as 'plain', 'plain64', 'essiv', etc. Support of the specific algorithm is hypervisor dependent.
hash
An optional hash algorithm such as 'md5', 'sha1', 'sha256', etc. Support of the specific ivgen hash algorithm is hypervisor dependent.
luks2
format
The luks2
format is currently supported only by the librbd
engine, and can only be applied to RBD network disks (RBD images). Since the librbd
engine is currently not supported by the libvirt storage driver, you cannot use it to control such disks. However, pre-formatted RBD luks2 disks can be loaded to a qemu VM using the qemu VM driver. A single <secret type='passphrase'...>
element is expected (except for the case of RBD layered encryption mentioned above).
luks-any
format
The luks-any
format is currently supported only by the librbd
engine, and can only be applied to RBD network disks (RBD images). This format will try to parse the disk as either LUKS or LUKS2, depending on the actual on-disk format. A single <secret type='passphrase'...>
element is expected (except for the case of RBD layered encryption mentioned above) Since 9.3.0 .
Examples
Assuming a luks volume type secret is already defined, a simple example specifying use of the luks
format for either volume creation without a specific cipher being defined or as part of a domain volume definition:
<encryption format='luks'>
<secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/>
</encryption>
Here is an example specifying use of the luks
format for a specific cipher algorithm for volume creation. Since 6.10.0, the target
format can also support qcow2
type with luks
encryption.
<volume>
<name>twofish.luks</name>
<capacity unit='G'>5</capacity>
<target>
<path>/var/lib/libvirt/images/demo.luks</path>
<format type='raw'/>
<encryption format='luks'>
<secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/>
<cipher name='twofish' size='256' mode='cbc' hash='sha256'/>
<ivgen name='plain64' hash='sha256'/>
</encryption>
</target>
</volume>