Re: [Libguestfs] Parameter 'encrypt.key-secret' is required for cipher for virt-ls
On Thu, Oct 06, 2022 at 03:33:34PM +0100, Richard W.M. Jones wrote:
> > Could you please provide an example on how to get such an
encrypted disk
> > mounted?
>
> My understanding is that libguestfs (and guestfs-tools) do not currently
> support the kind of encrypted disk where the encryption is implemented
> by QEMU, at the qcow2 layer.
I think the only sane way to do this at the moment is to open the
image first using qemu-nbd and then connect libguestfs to the NBD
socket. In other words something like this:
$ qemu-nbd --object secret,id=sec0,data=secretpassword \
--image-opts
driver=qcow2,file.filename=machine1.qcow2,encrypt.format=luks,encrypt.key-secret=sec0 \
-t -k /tmp/socket &
$ guestfish --format=raw -a 'nbd+unix:///?socket=/tmp/socket' -i
It may also be possible to use qemu-storage-daemon's fuse export to
access the unencrypted contents without going through NBD; but the
point remains the same of having qemu do the translation into a format
that guestfish can access. I'm less familiar with the command line
needed to set up a q-s-d fuse export; a quick google search found
https://www.lightnetics.com/topic/31893/exporting-block-devices-as-raw-im...
which might be helpful in your explorations.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org