On Tue, Apr 29, 2014 at 09:17:05AM +0000, Zhangleiqiang (Trump) wrote: > Hi, all: > > I find Nova has supported volume encryption for LVM volume ([1]). > Currently , qcow2 also support encryption now, and there is libvirt's > support too ([2]). After reading up the implementation, qcow2's support > can be added to current framework. > Do you think it is meaningful to introduce the support for qcow2 > volume encryption? The use case can be found in [1]. Support for qcow2 encryption has been proposed before and explicitly rejected because qcow2's encryption scheme is considered fatally flawed by design. See the warnings here http://qemu.weilnetz.de/qemu-doc.html#disk_005fimages_005fformats In the short term simply avoid all use qcow2 where encryption is required and instead use LVM with dm-crypt which is known secure & well reviewed by cryptographers. In the medium-long term QCow2's built-in encryption scheme has to be completely thrown away, and replaced by a new scheme that uses the LUKS file format specification internally. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|