[Libguestfs] [guestfs-tools PATCH 2/2] sysprep: advise against cloning VMs with internal full disk encryption
Richard W.M. Jones
rjones at redhat.com
Thu Jul 14 12:41:51 UTC 2022
On Thu, Jul 14, 2022 at 12:40:05PM +0200, Laszlo Ersek wrote:
> This is relevant for sysprep because we recommend sysprep for facilitating
> cloning.
>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2106286
> Signed-off-by: Laszlo Ersek <lersek at redhat.com>
> ---
> sysprep/virt-sysprep.pod | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/sysprep/virt-sysprep.pod b/sysprep/virt-sysprep.pod
> index deeb5341e57c..232b9f24ba27 100644
> --- a/sysprep/virt-sysprep.pod
> +++ b/sysprep/virt-sysprep.pod
> @@ -519,6 +519,13 @@ Either or both options can be used multiple times on the command line.
>
> =head1 SECURITY
>
> +Virtual machines that employ full disk encryption I<internally to the
> +guest> should not be considered for cloning and distribution, as it
> +provides multiple parties with the same internal volume key, enabling
> +any one such party to decrypt all the other clones. Refer to the L<LUKS
> +FAQ|https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/FAQ.md> for
> +details.
> +
> Although virt-sysprep removes some sensitive information from the
> guest, it does not pretend to remove all of it. You should examine
> the L</OPERATIONS> above and the guest afterwards.
> --
For the whole series:
Reviewed-by: Richard W.M. Jones <rjones at redhat.com>
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
More information about the Libguestfs
mailing list