On 01/12/2016 11:56 AM, Daniel P. Berrange wrote: > Provide a block encryption implementation that follows the > LUKS/dm-crypt specification. > > This supports all combinations of hash, cipher algorithm, > cipher mode and iv generator that are implemented by the > current crypto layer. > > The notable missing feature is support for the 'xts' > cipher mode, which is commonly used for disk encryption > instead of 'cbc'. This is because it is not provided by > either nettle or libgcrypt. A suitable implementation > will be identified & integrated later. > > There is support for opening existing volumes formatted > by dm-crypt, and for formatting new volumes. In the latter > case it will only use key slot 0. > > Signed-off-by: Daniel P. Berrange <berra...@redhat.com> > ---
> +++ b/qapi/crypto.json > @@ -101,12 +101,13 @@ > # The supported full disk encryption formats > # > # @qcowaes: QCow/QCow2 built-in AES-CBC encryption. Do not use > +# @luks: LUKS encryption format. Recommended > # > # Since: 2.6 > ## > { 'enum': 'QCryptoBlockFormat', > # 'prefix': 'QCRYPTO_BLOCK_FORMAT', > - 'data': ['qcowaes']} > + 'data': ['qcowaes', 'luks']} > > ## > # QCryptoBlockOptionsBase: > @@ -134,6 +135,39 @@ > 'data': { '*key-id': 'str' }} > > ## > +# QCryptoBlockOptionsLUKS: > +# > +# The options that apply to LUKS encryption format > +# > +# @key-id: the ID of a QCryptoSecret object providing the decryption key Is the key-id really optional? If so, missing the '#optional' tag. > +# Since: 2.6 > +## > +{ 'struct': 'QCryptoBlockOptionsLUKS', > + 'data': { '*key-id': 'str' }} > + > + > +## > +# QCryptoBlockCreateOptionsLUKS: > +# > +# The options that apply to LUKS encryption format initialization > +# > +# @cipher-alg: (optional) the cipher algorithm for data encryption Marc-Andre's pending patches to auto-generate docs from the .json files want this to be s/(optional)/#optional/ (here and elsewhere). -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature