[openstack-dev] [Nova] Add Qcow2 volume encryption support

Zhangleiqiang (Trump) zhangleiqiang at huawei.com
Tue Apr 29 10:15:11 UTC 2014


@Daniel:

	Thanks for your explanation, it helps me a lot. 


----------
zhangleiqiang (Trump)

Best Regards


> -----Original Message-----
> From: Daniel P. Berrange [mailto:berrange at redhat.com]
> Sent: Tuesday, April 29, 2014 5:33 PM
> To: OpenStack Development Mailing List (not for usage questions)
> Subject: Re: [openstack-dev] [Nova] Add Qcow2 volume encryption support
> 
> On Tue, Apr 29, 2014 at 09:17:05AM +0000, Zhangleiqiang (Trump) wrote:
> > Hi, all:
> >
> > 	I find Nova has supported volume encryption for LVM volume ([1]).
> > Currently , qcow2 also support encryption now, and there is libvirt's
> > support too ([2]). After reading up the implementation, qcow2's
> > support can be added to current framework.
> > 	Do you think it is meaningful to introduce the support for qcow2
> > volume encryption? The use case can be found in [1].
> 
> Support for qcow2 encryption has been proposed before and explicitly rejected
> because qcow2's encryption scheme is considered fatally flawed by design. See
> the warnings here
> 
>   http://qemu.weilnetz.de/qemu-doc.html#disk_005fimages_005fformats
> 
> In the short term simply avoid all use qcow2 where encryption is required and
> instead use LVM with dm-crypt which is known secure & well reviewed by
> cryptographers.
> 
> In the medium-long term QCow2's built-in encryption scheme has to be
> completely thrown away, and replaced by a new scheme that uses the LUKS file
> format specification internally.
> 
> Regards,
> Daniel
> --
> |: http://berrange.com      -o-
> http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org              -o-
> http://virt-manager.org :|
> |: http://autobuild.org       -o-
> http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org       -o-
> http://live.gnome.org/gtk-vnc :|
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list