[Libguestfs] [guestfs-tools PATCH 2/2] sysprep: advise against cloning VMs with internal full disk encryption
Laszlo Ersek
lersek at redhat.com
Fri Jul 15 06:29:45 UTC 2022
On 07/14/22 14:41, Richard W.M. Jones wrote:
> On Thu, Jul 14, 2022 at 12:40:05PM +0200, Laszlo Ersek wrote:
>> This is relevant for sysprep because we recommend sysprep for facilitating
>> cloning.
>>
>> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2106286
>> Signed-off-by: Laszlo Ersek <lersek at redhat.com>
>> ---
>> sysprep/virt-sysprep.pod | 7 +++++++
>> 1 file changed, 7 insertions(+)
>>
>> diff --git a/sysprep/virt-sysprep.pod b/sysprep/virt-sysprep.pod
>> index deeb5341e57c..232b9f24ba27 100644
>> --- a/sysprep/virt-sysprep.pod
>> +++ b/sysprep/virt-sysprep.pod
>> @@ -519,6 +519,13 @@ Either or both options can be used multiple times on the command line.
>>
>> =head1 SECURITY
>>
>> +Virtual machines that employ full disk encryption I<internally to the
>> +guest> should not be considered for cloning and distribution, as it
>> +provides multiple parties with the same internal volume key, enabling
>> +any one such party to decrypt all the other clones. Refer to the L<LUKS
>> +FAQ|https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/FAQ.md> for
>> +details.
>> +
>> Although virt-sysprep removes some sensitive information from the
>> guest, it does not pretend to remove all of it. You should examine
>> the L</OPERATIONS> above and the guest afterwards.
>> --
>
> For the whole series:
>
> Reviewed-by: Richard W.M. Jones <rjones at redhat.com>
Commit range a7ffb717306f..b49ee909f5d1.
Thanks!
Laszlo
More information about the Libguestfs
mailing list