storage backup with encryption on-the-fly ?

[lejeczek]

On 06/04/2023 16:12, Peter Krempa wrote:
> On Thu, Apr 06, 2023 at 15:22:10 +0200, lejeczek wrote:
>> Hi guys.
>>
>> Is there a solution, perhaps a function of libvirt, to backup guest's
>> storage and encrypt the resulting image file?
>> On-the-fly ideally.
>> If not ready/built-in solution then perhaps a best technique you
>> recommend/use?
>> I currently use 'backup-begin' on qcow2s, which are LUKS encrypted.
> libvirt's block code supports the raw+luks and qcow2+luks encrypted
> image formats with qemu. You should be able to use both for backups too:
>
>
>   <domainbackup mode='push'>
>     <disks>
>       <disk name='vda' type='file'>
>         <driver type='qcow2'/>
>         <target file='/tmp/backup-test-images/backup-vda.qcow2'>
>           <encryption format='luks'>
>             <secret type='passphrase' uuid='d5c7780c-80c4-45eb-bee9-9fbbc1f3847c'/>
>           </encryption>
>         </target>
>       </disk>
>   </domainbackup>
>
> Another option would be to use an encrypted device-mapper device via the
> block backend.
>
> Lastly if you need any other storage format the 'pull' mode of backups
> exposes a (optionally TLS-encrypted) NBD socket from where a client
> application can pull the blocks for backup and store them in any way it
> wants.
>
That works as I hoped, nice & smooth, I've not had the right 
xml syntax.
Are there any docs with more details on the other two 
alternatives?
many thanks, L.