Feature #5402: KVM support for luks volmes? - OpenNebula - OpenNebula Development pages

Feature #5402

KVM support for luks volmes?

Added by Laurence Gill almost 4 years ago. Updated almost 4 years ago.

Status:

Pending

Start date:

09/25/2017

Priority:

Normal

Due date:

Assignee:

% Done:

Category:

Target version:

Resolution:

Pull request:

Description

Is there any plans to support luks volumes for virtual machines? I have not managed to find any discussions around this on any opennebula mailing lists.

https://libvirt.org/formatstorageencryption.html#StorageEncryptionLuks

I think it would require qemu 2.6:

https://wiki.qemu.org/ChangeLog/2.6#Block_devices_2

...and also libvirt 2.2.0, and I'd guess you need to create a secret on the hypervisor, unless it could be randomly generated if you are creating a empty datablock to install to. Although if you created the volume outside of opennebula I suppose you could pass the parameters through using the raw kvm contextualisation.

Thoughts? Silly idea?

Cheers

History

#1 Updated by Laurence Gill almost 4 years ago

I made a bit of progress on this, see
https://github.com/laurencegill/one/commit/d9ecac77d66af9fdecc4138c5ff2c436224363d7

Tested on debian jessie and you need to install the qemu/libvirt packages from backports to get the encryption support:

apt-get -t jessie-backports install libvirt0
apt-get -t jessie-backports install qemu-kvm qemu-utils qemu-block-extra qemu-system-common qemu-system-x86

Then create the image and import, create the libvirt secret etc, then you can attach the disk and it is decrypted, if it doesn't work you will still see the device as an encrypted luks disk (luksDump)

The question now is how to generate this the libvirt xml at deployment to contain the libvirt xml? I am a bit stuck here, does the LibVirtDriverKVM.cc file need changing, or is there a simpler way to change what is generated in the deployment file when instantiating the VM?