[libvirt] [PATCH 1/9] Add volume encryption information handling.

Daniel P. Berrange berrange at redhat.com
Thu Jul 23 20:29:33 UTC 2009 

On Tue, Jul 21, 2009 at 01:11:57PM +0200, Miloslav Trma?? wrote:
> Define an <encryption> tag specifying volume encryption format and
> format-depenedent parameters (e.g. passphrase, cipher name, key
> length, key).
> 
> In most cases, the "secrets" (passphrases/keys) should only be
> transferred from libvirt users to libvirt, not the other way around.
> (Volume creation, when libvirt generates secrets for the user,
> is the only planned exception).
> 
> Permanent storage of the secrets should be implemented outside of
> libvirt, although virDomainDefineXML() will cause libvirtd to store
> the secret locally with a domain.
> 
> Only the qcow/qcow2 encryption format is currently supported,
> with the key/passphrase represented using base64.
> 
> This patch does not add any users; the <encryption> tag is added in
> the following patches to both volumes (to support encrypted volume
> creation) and domains.

[snip]

> +#include <stdbool.h>
> +#include <libxml/tree.h>
> +
> +enum virStorageEncryptionFormat {
> +    VIR_STORAGE_ENCRYPTION_FORMAT_UNENCRYPTED = 0,
> +    VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
> +
> +    VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
> +};
> +VIR_ENUM_DECL(virStorageEncryptionFormat)
> +
> +typedef struct _virStorageEncryption virStorageEncryption;
> +typedef virStorageEncryption *virStorageEncryptionPtr;
> +struct _virStorageEncryption {
> +    int format;            /* enum virStorageEncryptionFormat */
> +
> +    union {                /* Format-specific data */
> +        struct {
> +            char *passphrase;
> +        } qcow;
> +    } v;
> +};

As with the XML format, I'd like to avoid encoding qcow as a 
structural element here. Instead go for a generic storage of
secrets.


  enum virStorageEncryptionSecret {
    VIR_STORAGE_ENCRYPTION_SECRET_PASSPHRASE,
  };
 
  struct virStorageSecret{
     int type;    /* enum virStorageSecret */

     union {
        char *passphrase;
     } data;
  };

  struct _virStorageEncryption {
    unsigned encrypted : 1;

    int nsecrets;
    virStorageSecret *secrets;
  }

This allows for > 1 secret should we need that (eg, for LUKS/cryptsetup
volume)

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list