Storage volume encryption XML format

Storage volume encryption XML

Storage volumes may be encrypted, the XML snippet described below is used to represent the details of the encryption. It can be used as a part of a domain or storage configuration.

The top-level tag of volume encryption specification is encryption, with a mandatory attribute format. Currently defined values of format are default, qcow, luks, and luks2. Each value of format implies some expectations about the content of the encryption tag. Other format values may be defined in the future.

The encryption tag supports an optional engine tag, which allows selecting which component actually handles the encryption. Currently defined values of engine are qemu and librbd. Both qemu and librbd require using the qemu driver. The librbd engine requires qemu version >= 6.1.0, both ceph cluster and librbd1 >= 16.1.0, and is only applicable for RBD network disks. If the engine tag is not specified, the qemu engine will be used by default (assuming the qemu driver is used). Note that librbd engine is currently only supported by the qemu VM driver, and is not supported by the storage driver. Furthermore, the storage driver currently ignores the engine tag. since 9.3.0 RBD layered encryption is supported. Layered encryption requires a secret per each encrypted layer. The first secret corresponds to the (child) image itself, the second secret to the parent image, and so forth.

The encryption tag can currently contain a sequence of secret tags, each with mandatory attributes type and either uuid or usage ( since 2.1.0 ). The only currently defined value of type is volume. The uuid is "uuid" of the secret while usage is the "usage" subelement field. A secret value can be set in libvirt by the virSecretSetValue API. Alternatively, if supported by the particular volume format and driver, automatically generate a secret value at the time of volume creation, and store it using the specified uuid.

qcow format

Since 4.5.0, encryption formats default and qcow may no longer be used to create an encrypted volume. Usage of qcow encrypted volumes in QEMU began phasing out in QEMU 2.3 and by QEMU 2.9 creation of a qcow encrypted volume via qemu-img required usage of secret objects, but that support was not added to libvirt.

luks format

The luks format is specific to a luks encrypted volume and the secret is used in order to either encrypt during volume creation or decrypt the volume for usage by the domain. A single <secret type='passphrase'...> element is expected (except for the case of RBD layered encryption mentioned above). Since 2.1.0.

For volume creation, it is possible to specify the encryption algorithm used to encrypt the luks volume. The following two optional elements may be provided for that purpose. It is hypervisor dependent as to which algorithms are supported. The default algorithm used by the storage driver backend when using qemu-img to create the volume is 'aes-256-cbc' using 'essiv' for initialization vector generation and 'sha256' hash algorithm for both the cipher and the initialization vector generation.

cipher

This element describes the cipher algorithm to be used to either encrypt or decrypt the luks volume. This element has the following attributes:

name

The name of the cipher algorithm used for data encryption, such as 'aes', 'des', 'cast5', 'serpent', 'twofish', etc. Support of the specific algorithm is storage driver implementation dependent.

size

The size of the cipher in bits, such as '256', '192', '128', etc. Support of the specific size for a specific cipher is hypervisor dependent.

mode

An optional cipher algorithm mode such as 'cbc', 'xts', 'ecb', etc. Support of the specific cipher mode is hypervisor dependent.

hash

An optional master key hash algorithm such as 'md5', 'sha1', 'sha256', etc. Support of the specific hash algorithm is hypervisor dependent.

ivgen

This optional element describes the initialization vector generation algorithm used in conjunction with the cipher. If the cipher is not provided, then an error will be generated by the parser.

name

The name of the algorithm, such as 'plain', 'plain64', 'essiv', etc. Support of the specific algorithm is hypervisor dependent.

hash

An optional hash algorithm such as 'md5', 'sha1', 'sha256', etc. Support of the specific ivgen hash algorithm is hypervisor dependent.

luks2 format

The luks2 format is currently supported only by the librbd engine, and can only be applied to RBD network disks (RBD images). Since the librbd engine is currently not supported by the libvirt storage driver, you cannot use it to control such disks. However, pre-formatted RBD luks2 disks can be loaded to a qemu VM using the qemu VM driver. A single <secret type='passphrase'...> element is expected (except for the case of RBD layered encryption mentioned above).

luks-any format

The luks-any format is currently supported only by the librbd engine, and can only be applied to RBD network disks (RBD images). This format will try to parse the disk as either LUKS or LUKS2, depending on the actual on-disk format. A single <secret type='passphrase'...> element is expected (except for the case of RBD layered encryption mentioned above) Since 9.3.0.

Examples

Assuming a luks volume type secret is already defined, a simple example specifying use of the luks format for either volume creation without a specific cipher being defined or as part of a domain volume definition:

<encryption format='luks'>
  <secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/>
</encryption>

Here is an example specifying use of the luks format for a specific cipher algorithm for volume creation. Since 6.10.0, the target format can also support qcow2 type with luks encryption.

<volume>
  <name>twofish.luks</name>
  <capacity unit='G'>5</capacity>
  <target>
    <path>/var/lib/libvirt/images/demo.luks</path>
    <format type='raw'/>
    <encryption format='luks'>
       <secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/>
       <cipher name='twofish' size='256' mode='cbc' hash='sha256'/>
       <ivgen name='plain64' hash='sha256'/>
    </encryption>
  </target>
</volume>