[Libguestfs] Parameter 'encrypt.key-secret' is required for cipher for virt-ls
Eric Blake
eblake at redhat.com
Thu Oct 6 14:59:25 UTC 2022
On Thu, Oct 06, 2022 at 03:33:34PM +0100, Richard W.M. Jones wrote:
> > > Could you please provide an example on how to get such an encrypted disk
> > > mounted?
> >
> > My understanding is that libguestfs (and guestfs-tools) do not currently
> > support the kind of encrypted disk where the encryption is implemented
> > by QEMU, at the qcow2 layer.
>
> I think the only sane way to do this at the moment is to open the
> image first using qemu-nbd and then connect libguestfs to the NBD
> socket. In other words something like this:
>
> $ qemu-nbd --object secret,id=sec0,data=secretpassword \
> --image-opts driver=qcow2,file.filename=machine1.qcow2,encrypt.format=luks,encrypt.key-secret=sec0 \
> -t -k /tmp/socket &
> $ guestfish --format=raw -a 'nbd+unix:///?socket=/tmp/socket' -i
It may also be possible to use qemu-storage-daemon's fuse export to
access the unencrypted contents without going through NBD; but the
point remains the same of having qemu do the translation into a format
that guestfish can access. I'm less familiar with the command line
needed to set up a q-s-d fuse export; a quick google search found
https://www.lightnetics.com/topic/31893/exporting-block-devices-as-raw-image-files-with-fuse
which might be helpful in your explorations.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
More information about the Libguestfs
mailing list