Laszlo Ersek
2022-Oct-06 10:16 UTC
[Libguestfs] Parameter 'encrypt.key-secret' is required for cipher for virt-ls
On 10/05/22 16:06, Do Re wrote:> Hello all, > > background: One of my VM stopped working - on startup, I get the message > "No bootable device" in the virtual machine. > > I would like to inspect the corresponding image with libguestfs-tools. > > However, I don't know how to pass the encryption key to the tool. For > example: > > virt-ls -a /opt/vm_witherror/machine1.qcow2 / > libguestfs: trace: set_verbose true > libguestfs: trace: set_verbose = 0 > libguestfs: create: flags = 0, handle = 0x5645c40d6b00, program = virt-ls > libguestfs: trace: add_drive "/opt/vm_witherror/machine1.qcow2" > "readonly:true" > libguestfs: creating COW overlay to protect original drive content > libguestfs: trace: get_tmpdir > libguestfs: trace: get_tmpdir = "/tmp" > libguestfs: trace: disk_create "/tmp/libguestfsxECmri/overlay1.qcow2" > "qcow2" -1 "backingfile:/opt/vm_witherror/machine1.qcow2" > libguestfs: command: run: qemu-img > libguestfs: command: run: \ create > libguestfs: command: run: \ -f qcow2 > libguestfs: command: run: \ -o backing_file=/opt/vm_witherror/machine1.qcow2 > libguestfs: command: run: \ /tmp/libguestfsxECmri/overlay1.qcow2 > qemu-img: /tmp/libguestfsxECmri/overlay1.qcow2: Parameter > 'encrypt.key-secret' is required for cipher > Could not open backing image. > libguestfs: error: qemu-img: /tmp/libguestfsxECmri/overlay1.qcow2: > qemu-img exited with error status 1, see debug messages above > libguestfs: trace: disk_create = -1 (error) > libguestfs: trace: add_drive = -1 (error) > libguestfs: trace: close > libguestfs: closing guestfs handle 0x5645c40d6b00 (state 0) > libguestfs: command: run: rm > libguestfs: command: run: \ -rf /tmp/libguestfsxECmri > > > Could you please provide an example on how to get such an encrypted disk > mounted?My understanding is that libguestfs (and guestfs-tools) do not currently support the kind of encrypted disk where the encryption is implemented by QEMU, at the qcow2 layer. The kind of encryption that's expected to work is where you use LUKS internally to the guest; in other words, where disk encryption is handled by the guest kernel, rather than by QEMU. Laszlo
Richard W.M. Jones
2022-Oct-06 14:33 UTC
[Libguestfs] Parameter 'encrypt.key-secret' is required for cipher for virt-ls
On Thu, Oct 06, 2022 at 12:16:36PM +0200, Laszlo Ersek wrote:> On 10/05/22 16:06, Do Re wrote: > > Hello all, > > > > background: One of my VM stopped working - on startup, I get the message > > "No bootable device" in the virtual machine. > > > > I would like to inspect the corresponding image with libguestfs-tools. > > > > However, I don't know how to pass the encryption key to the tool. For > > example: > > > > virt-ls -a /opt/vm_witherror/machine1.qcow2 / > > libguestfs: trace: set_verbose true > > libguestfs: trace: set_verbose = 0 > > libguestfs: create: flags = 0, handle = 0x5645c40d6b00, program = virt-ls > > libguestfs: trace: add_drive "/opt/vm_witherror/machine1.qcow2" > > "readonly:true" > > libguestfs: creating COW overlay to protect original drive content > > libguestfs: trace: get_tmpdir > > libguestfs: trace: get_tmpdir = "/tmp" > > libguestfs: trace: disk_create "/tmp/libguestfsxECmri/overlay1.qcow2" > > "qcow2" -1 "backingfile:/opt/vm_witherror/machine1.qcow2" > > libguestfs: command: run: qemu-img > > libguestfs: command: run: \ create > > libguestfs: command: run: \ -f qcow2 > > libguestfs: command: run: \ -o backing_file=/opt/vm_witherror/machine1.qcow2 > > libguestfs: command: run: \ /tmp/libguestfsxECmri/overlay1.qcow2 > > qemu-img: /tmp/libguestfsxECmri/overlay1.qcow2: Parameter > > 'encrypt.key-secret' is required for cipher > > Could not open backing image. > > libguestfs: error: qemu-img: /tmp/libguestfsxECmri/overlay1.qcow2: > > qemu-img exited with error status 1, see debug messages above > > libguestfs: trace: disk_create = -1 (error) > > libguestfs: trace: add_drive = -1 (error) > > libguestfs: trace: close > > libguestfs: closing guestfs handle 0x5645c40d6b00 (state 0) > > libguestfs: command: run: rm > > libguestfs: command: run: \ -rf /tmp/libguestfsxECmri > > > > > > Could you please provide an example on how to get such an encrypted disk > > mounted? > > My understanding is that libguestfs (and guestfs-tools) do not currently > support the kind of encrypted disk where the encryption is implemented > by QEMU, at the qcow2 layer.I think the only sane way to do this at the moment is to open the image first using qemu-nbd and then connect libguestfs to the NBD socket. In other words something like this: $ qemu-nbd --object secret,id=sec0,data=secretpassword \ --image-opts driver=qcow2,file.filename=machine1.qcow2,encrypt.format=luks,encrypt.key-secret=sec0 \ -t -k /tmp/socket & $ guestfish --format=raw -a 'nbd+unix:///?socket=/tmp/socket' -i Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org