Feature #5402

KVM support for luks volmes?

Added by Laurence Gill almost 4 years ago. Updated almost 4 years ago.

Status:PendingStart date:09/25/2017
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Resolution: Pull request:


Is there any plans to support luks volumes for virtual machines? I have not managed to find any discussions around this on any opennebula mailing lists.


I think it would require qemu 2.6:


...and also libvirt 2.2.0, and I'd guess you need to create a secret on the hypervisor, unless it could be randomly generated if you are creating a empty datablock to install to. Although if you created the volume outside of opennebula I suppose you could pass the parameters through using the raw kvm contextualisation.

Thoughts? Silly idea?



#1 Updated by Laurence Gill almost 4 years ago

I made a bit of progress on this, see

Tested on debian jessie and you need to install the qemu/libvirt packages from backports to get the encryption support:

apt-get -t jessie-backports install libvirt0
apt-get -t jessie-backports install qemu-kvm qemu-utils qemu-block-extra qemu-system-common qemu-system-x86

Then create the image and import, create the libvirt secret etc, then you can attach the disk and it is decrypted, if it doesn't work you will still see the device as an encrypted luks disk (luksDump)

The question now is how to generate this the libvirt xml at deployment to contain the libvirt xml? I am a bit stuck here, does the LibVirtDriverKVM.cc file need changing, or is there a simpler way to change what is generated in the deployment file when instantiating the VM?

#2 Updated by Anton Todorov almost 4 years ago

There is an entry in the backlog addressing the option to alter the VM deployment XML before deploy (#4880).

Currently I am patching the vmm/kvm/deploy script to execute a script to edit the deployment XML file before it is passed to libvirt.

Best Regards,
Anton Todorov

#3 Updated by Laurence Gill almost 4 years ago

On balance, I figured it would be less lines of code to patch the driver:


Seems to work, requires some further testing though...

Also available in: Atom PDF