'Re: Using LUKS format to connect to an encrypted iscsi volume with libiscsi'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qemu-discuss
Subject:    Re: Using LUKS format to connect to an encrypted iscsi volume with libiscsi
From:       Jakob Bohm <jb-gnumlists () wisemo ! com>
Date:       2021-10-12 11:59:58
Message-ID: 3b3486c1-d7c9-606a-006b-d9ab6659224e () wisemo ! com
[Download RAW message or body]

On 2021-10-06 20:52, Will Gorman wrote:
> I'm attempting to use qemu-kvm (qemu-kvm-ev-2.12.0-44.1.el7_8.1) to 
> run a VM that will be able to use an iscsi volume that has been 
> encrypted with LUKS.  Below are the qemu command line arguments 
> related to this volume:
> 
> -object secret,id=scsi1-0-0-1-luks-secret0,file=/root/qemuluks.key \
> -drive 
> file.driver=iscsi,file.portal=$TARGET_IP:3260,file.target=$TARGET_IQN,file.lun=0,fil \
> e.transport=tcp,file.initiator-name=iqn.1994-05.com.redhat:host1,key-secret=sec0,format=luks,if=none,id=drive-scsi1-0-0-1 \
>  \
> -device 
> scsi-block,bus=scsi1.0,channel=0,scsi-id=0,lun=1,drive=drive-scsi1-0-0-1,id=scsi1-0-0-1 \
>  \
> 
I think (from the horribly incomplete documentation) that the built-in 
qemu LUKS encryption is ONLY for qcow2 disk image files, not for any 
kind of "raw" disk, even if remote over iSCSI.
> When running the VM with qemu-kvm, I get the following error:
> 
> 2021-09-22T20:26:04.975007Z qemu-kvm: -device 
> scsi-block,bus=scsi1.0,channel=0,scsi-id=0,lun=1,drive=drive-scsi1-0-0-1,id=scsi1-0-0-1: \
>  cannot get SG_IO version number: Operation not supported
> Is this a SCSI device?
> 
> I think that it is at least using the key since if I intentionally 
> provide an incorrect value for the key I get a different error about 
> "Invalid password, cannot unlock any keyslot" but it gets further with 
> the correct key.  Is it supported to use LUKS with the iscsi driver 
> and libiscsi?  If so, are there any other configuration options I 
> should be considering?
> 
Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic