On Thu, Dec 12, 2024 at 11:31:43AM +0000, Daniel P. Berrangé wrote:
On Thu, Dec 12, 2024 at 11:27:35AM +0000, Richard W.M. Jones wrote:
> On Thu, Dec 12, 2024 at 03:10:15PM +0400, Denys Ostapenko wrote:
> > >>I found it's surprisingly hard to access VeraCrypt partition
inside
> > >>VHD file.
> > >
> > >I'm not sure what VeraCrypt is, but I don't think we have support
for
> > >it in libguestfs, which is going to be a problem. Unless kernel /
> > >cryptsetup knows about it somehow.
> >
> > VeraCrypt is a TrueCrypt fork (disk-encryption software),
> > open-source and cross-platform.
> >
> > >On Thu, Dec 12, 2024 at 02:45:48AM +0400, Denys Ostapenko wrote:
> > >>Is it possible to expose raw partition from libguestfs (and
> > >>guestfish) as a mapper device? Like cryptsetup-open <partition>
> > >><mapper>, but without password and decryption at all.
> > >
> > >I'm not sure what you mean by this. Do you mean, expose the encrypted
> > >device as a block device on the host? (ie. guestmount)
> >
> > I have file.vhd and /dev/sda1 partition (VeraCrypt encrypted)
> > inside. This partition is raw; guestfish can not recognize it,
> > because without password VeraCrypt partition is indistinguishable
> > from random. In Windows, out-of-the-box VHD mount tool creates
> > device like \Device\Harddisk2\Partition1, so I can mount it in
> > VeraCrypt. I have not found a way to ask guestfish/libguestfs to
> > expose such raw partition from inside VHD as host block device.
>
> Doesn't doing this work?
>
> $ guestmount [--ro] -a guest.img -m /dev/sda1 /var/tmp/some_mountpoint
>
> It's not a host block device, but near enough. It'll also be quite
> slow because it's using FUSE.
>
> If VeraCrypt can be taught how to access an NBD endpoint instead of
> needing POSIX APIs, then you could do something with qemu-nbd &
> nbdkit, although it's a little clunky because of the nested partition
> and because qemu-nbd removed support for the '-P' option.
Can you just combine qemu-nbd with kpartx to setup devmapper
nodes for each partition:
qemu-nbd -c /dev/nbd0 guest.img
kpartx -a /dev/nbd0
will give you /dev/mapper/nbd0p1 which you can then access
with whatever you need for VeraCrypt on a host blockdev
I suspected that Denys wanted to do all this as non-root, but
that certainly works for root.
For non-root you can put nbdkit-partition-filter in front of
nbdkit-nbd-plugin in front of qemu-nbd, but it's all starting to get
very clunky at that point (plus you still have to teach VeraCrypt to
use NBD).
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html