On 06/01/2017 12:27 PM, Daniel P. Berrange wrote: > Update the qcow2 specification to describe how the LUKS header is > placed inside a qcow2 file, when using LUKS encryption for the > qcow2 payload instead of the legacy AES-CBC encryption > > Reviewed-by: Eric Blake <ebl...@redhat.com> > Reviewed-by: Alberto Garcia <be...@igalia.com> > Reviewed-by: Max Reitz <mre...@redhat.com> > Signed-off-by: Daniel P. Berrange <berra...@redhat.com> > --- > docs/specs/qcow2.txt | 103 > +++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 103 insertions(+) >
> +== Data encryption == > + > +When an encryption method is requested in the header, the image payload > +data must be encrypted/decrypted on every write/read. The image headers > +and metadata are never encrypted. > + > +The algorithms used for encryption vary depending on the method > + > + - AES: > + > + The AES cipher, in CBC mode, with 256 bit keys. > + > + Initialization vectors generated using plain64 method, with > + the virtual disk sector as the input tweak. > + > + This format is no longer supported in QEMU system emulators, due > + to a number of design flaws affecting it security. It is only s/affecting it/affecting its/ Can keep my R-b. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature