• Daniel P. Berrange's avatar
    Describe flaws in qcow/qcow2 encryption in the docs · 136cd19d
    Daniel P. Berrange authored
    The qemu-img.texi / qemu-doc.texi files currently describe the
    qcow2/qcow2 encryption thus
      "Encryption uses the AES format which is very secure (128 bit
       keys). Use a long password (16 characters) to get maximum
    While AES is indeed a strong encryption system, the way that
    QCow/QCow2 use it results in a poor/weak encryption system.
    Due to the use of predictable IVs, based on the sector number
    extended to 128 bits, it is vulnerable to chosen plaintext
    attacks which can reveal the existence of encrypted data.
    The direct use of the user passphrase as the encryption key
    also leads to an inability to change the passphrase of an
    image. If passphrase is ever compromised the image data will
    all be vulnerable, since it cannot be re-encrypted. The admin
    has to clone the image files with a new passphrase and then
    use a program like shred to secure erase all the old files.
    Recommend against any use of QCow/QCow2 encryption, directing
    users to dm-crypt / LUKS which can meet modern cryptography
    best practices.
    [Changed "Qcow" to "qcow" for consistency.
    Signed-off-by: default avatarDaniel P. Berrange <berrange@redhat.com>
    Reviewed-by: default avatarMarkus Armbruster <armbru@redhat.com>
    Reviewed-by: default avatarEric Blake <eblake@redhat.com>
    Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
qemu-doc.texi 91 KB