[libvirt] [PATCH 1/9] Add volume encryption information handling.
Daniel P. Berrange
berrange at redhat.com
Thu Jul 23 20:29:33 UTC 2009
On Tue, Jul 21, 2009 at 01:11:57PM +0200, Miloslav Trma?? wrote:
> Define an <encryption> tag specifying volume encryption format and
> format-depenedent parameters (e.g. passphrase, cipher name, key
> length, key).
>
> In most cases, the "secrets" (passphrases/keys) should only be
> transferred from libvirt users to libvirt, not the other way around.
> (Volume creation, when libvirt generates secrets for the user,
> is the only planned exception).
>
> Permanent storage of the secrets should be implemented outside of
> libvirt, although virDomainDefineXML() will cause libvirtd to store
> the secret locally with a domain.
>
> Only the qcow/qcow2 encryption format is currently supported,
> with the key/passphrase represented using base64.
>
> This patch does not add any users; the <encryption> tag is added in
> the following patches to both volumes (to support encrypted volume
> creation) and domains.
[snip]
> +#include <stdbool.h>
> +#include <libxml/tree.h>
> +
> +enum virStorageEncryptionFormat {
> + VIR_STORAGE_ENCRYPTION_FORMAT_UNENCRYPTED = 0,
> + VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
> +
> + VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
> +};
> +VIR_ENUM_DECL(virStorageEncryptionFormat)
> +
> +typedef struct _virStorageEncryption virStorageEncryption;
> +typedef virStorageEncryption *virStorageEncryptionPtr;
> +struct _virStorageEncryption {
> + int format; /* enum virStorageEncryptionFormat */
> +
> + union { /* Format-specific data */
> + struct {
> + char *passphrase;
> + } qcow;
> + } v;
> +};
As with the XML format, I'd like to avoid encoding qcow as a
structural element here. Instead go for a generic storage of
secrets.
enum virStorageEncryptionSecret {
VIR_STORAGE_ENCRYPTION_SECRET_PASSPHRASE,
};
struct virStorageSecret{
int type; /* enum virStorageSecret */
union {
char *passphrase;
} data;
};
struct _virStorageEncryption {
unsigned encrypted : 1;
int nsecrets;
virStorageSecret *secrets;
}
This allows for > 1 secret should we need that (eg, for LUKS/cryptsetup
volume)
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list