Lines Matching +full:- +full:- +full:-
22 +-----------------------------------------------+
26 +-----------------------------------------------+
32 +--------------------------+
34 +--------------------------+
35 +---------------------+
37 +---------------------+
41 * Secrecy - the disk2 cannot be identified as containing LUKS
43 * Control - if access to the disk1 is restricted, then even
49 * Flexibility - your application data volume may be a given
54 * Recovery - corruption of a bit in the header may make the
74 +-----------------------------+
76 +-----------------------------+
80 +---------------------+ +------------------+
81 Child node |payload-format[qcow2]| |header-format[raw]|
82 +---------------------+ +------------------+
86 +----------------------+ +---------------------+
87 Child node |payload-protocol[file]| |header-protocol[file]|
88 +----------------------+ +---------------------+
97 Create a LUKS disk with a detached header using qemu-img
98 --------------------------------------------------------
102 # qemu-img create --object secret,id=sec0,data=abc123 -f luks \
103 -o cipher-alg=aes-256,cipher-mode=xts -o key-secret=sec0 \
104 -o detached-header=true test-header.img
105 # qemu-img create -f qcow2 test-payload.qcow2 200G
106 # qemu-img info 'json:{"driver":"luks","file":{"filename": \
107 "test-payload.img"},"header":{"filename":"test-header.img"}}'
110 ------------------------------------------------
114 # qemu-system-x86_64 ... \
115 -object '{"qom-type":"secret","id":"libvirt-3-format-secret", \
117 -blockdev '{"driver":"file","filename":"/path/to/test-header.img", \
118 "node-name":"libvirt-1-storage"}' \
119 -blockdev '{"node-name":"libvirt-1-format","read-only":false, \
120 "driver":"raw","file":"libvirt-1-storage"}' \
121 -blockdev '{"driver":"file","filename":"/path/to/test-payload.qcow2", \
122 "node-name":"libvirt-2-storage"}' \
123 -blockdev '{"node-name":"libvirt-2-format","read-only":false, \
124 "driver":"qcow2","file":"libvirt-2-storage"}' \
125 -blockdev '{"node-name":"libvirt-3-format","driver":"luks", \
126 "file":"libvirt-2-format","header":"libvirt-1-format","key-secret": \
127 "libvirt-3-format-secret"}' \
128 -device '{"driver":"virtio-blk-pci","bus":XXX,"addr":YYY,"drive": \
129 "libvirt-3-format","id":"virtio-disk1"}'
132 ----------------------------------------------
134 1. object-add the secret for decrypting the cipher stored in
137 # virsh qemu-monitor-command vm '{"execute":"object-add", \
138 "arguments":{"qom-type":"secret", "id": \
139 "libvirt-4-format-secret", "data":"abc123"}}'
141 2. block-add the protocol node for LUKS header::
143 # virsh qemu-monitor-command vm '{"execute":"blockdev-add", \
144 "arguments":{"node-name":"libvirt-1-storage", "driver":"file", \
145 "filename": "/path/to/test-header.img" }}'
147 3. block-add the raw-drived node for LUKS header::
149 # virsh qemu-monitor-command vm '{"execute":"blockdev-add", \
150 "arguments":{"node-name":"libvirt-1-format", "driver":"raw", \
151 "file":"libvirt-1-storage"}}'
153 4. block-add the protocol node for disk payload image::
155 # virsh qemu-monitor-command vm '{"execute":"blockdev-add", \
156 "arguments":{"node-name":"libvirt-2-storage", "driver":"file", \
157 "filename":"/path/to/test-payload.qcow2"}}'
159 5. block-add the qcow2-drived format node for disk payload data::
161 # virsh qemu-monitor-command vm '{"execute":"blockdev-add", \
162 "arguments":{"node-name":"libvirt-2-format", "driver":"qcow2", \
163 "file":"libvirt-2-storage"}}'
165 6. block-add the luks-drived format node to link the qcow2 disk
168 # virsh qemu-monitor-command vm '{"execute":"blockdev-add", \
169 "arguments":{"node-name":"libvirt-3-format", "driver":"luks", \
170 "file":"libvirt-2-format", "header":"libvirt-1-format", \
171 "key-secret":"libvirt-2-format-secret"}}'
173 7. hot-plug the virtio-blk device finally::
175 # virsh qemu-monitor-command vm '{"execute":"device_add", \
176 "arguments": {"driver":"virtio-blk-pci", \
177 "drive": "libvirt-3-format", "id":"virtio-disk2"}}