Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1406805 - RFE: enable use of LUKS in combination with qcow2.
Summary: RFE: enable use of LUKS in combination with qcow2.
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 7.4
Assignee: Peter Krempa
QA Contact: yisun
Jiri Herrmann
Depends On: 760547 1406803
Blocks: 1518999 1352501 1636224
TreeView+ depends on / blocked
Reported: 2016-12-21 14:20 UTC by Daniel Berrange
Modified: 2019-04-09 12:17 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1518999 (view as bug list)
Last Closed: 2019-04-09 12:17:26 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Daniel Berrange 2016-12-21 14:20:22 UTC
Description of problem:
While there is a generic LUKS driver for QEMU that can be layered above or below any block backend, neither of these options are desirable in combination with QCow2.

If layered below qcow2, both the header & payload are encrypted making it impossible to query basic info about the qcow2 volume (eg its size) without decrypting it first.

If layered above qcow2, the payload is encrypted using virtual disk sector numbers as the input for initialization vectors. This is insecure when combined with qcow2 internal snapshots, since data in each snapshot will use the same initialization vector for any given guest sector.

Thus qemu will provide native integration of LUKS & qcow2. Libvirt needs to be able to enable this feature.

Version-Release number of selected component (if applicable):

Comment 10 Jaroslav Suchanek 2019-04-09 12:17:26 UTC
This feature will be finished in the next major release of RHEL.

Note You need to log in before you can comment on or make changes to this bug.