KVM how to use encrypted images

Posted on March 26, 2010 by bodhi.zazen

KVM has a number of features that are not always obvious. I would like to show how to use encrypted hard drive images with KVM / QEMU .

Encryption is only supported with the qcow format.

This option is hinted at in the man pages, but actual use is obscure.

To create a disk image use qemu-img. See man qemu-img for additional information.

Create an encrypted disk

qemu-img create -e -f qcow2 image.qcow2 10G

If you pass the option -e or -o encryption when you create an image, the resulting image will be encrypted, with an empty (blank) password – there is no option to set a password in a single step at the time of creation.

To set a password, again use qemu-img , but this time with the convert option

qemu-img convert -e -O qcow2 image.qcow2 encrypted.qcow2

You will be asked to give a password twice. At the first prompt hit enter (as the password is blank), at the second prompt you will set the password for your resulting encrypted disk.

Examples (pay attention to the output !!!)

Create and unencrypted image.qcow, then convert an encrypted.qcow


bodhi@Succubus$ qemu-img create -f qcow2 image.qcow2 10G
Formatting 'image.qcow2', fmt=qcow2 size=10737418240 encryption=off cluster_size=0


bodhi@Succubus$ qemu-img convert -e -O qcow2 image.qcow2 encrypted.qcow2
Disk image 'encrypted.qcow2' is encrypted.
password:

Create an encrypted image.qcow2 (empty password) and add a password to an encrypted.qcow2


bodhi@Succubus$ qemu-img create -e -f qcow2 image.qcow2 10G
Formatting 'image.qcow2', fmt=qcow2 size=10737418240 encryption=on cluster_size=0


bodhi@Succubus$ qemu-img convert -e -O qcow2 image.qcow2 encrypted.qcow2
Disk image 'image.qcow2' is encrypted.
password: <-- Hit the enter key here
Disk image 'encrypted.qcow2' is encrypted.
password: <-- Enter your password here.

Determine if you qcow image is encrypted

You can review the details of your images with qemu-img info

qemu-img info encrypted.qcow2


bodhi@Succubus$ qemu-img info encrypted.qcow2
image: encrypted.qcow2 <-- Note encryption
file format: qcow2
virtual size: 10G (10737418240 bytes)
disk size: 136K
encrypted: yes <-- Note encryption
cluster_size: 65536

Using the images

This step is confusing, more so if you are not familiar with qemu / kvm and the “qemu monitor”. With a guest running, access the monitor with Ctrl-Alt-2 . Return to the graphical guest interface with Ctrl-Alt-1

For information on how to use the monitor , use the built in help (enter help or hit the tab key).

Start your guest :

kvm -cdrom linux.iso -hda encrypted.qcow2

You will see the guest does not start, the kvm (QEMU) window reads “Stopped”

What now you ask ???

You can hit Ctrl-Alt-2 to access the qemu monitor.

At the (qemu monitor) prompt enter

cont

You will then be asked to enter your password. Once you enter the correct password return to the guest with Ctrl-alt-1

If you wish to use detach to start your guest, you can skip the above step by redirecting the qemu monitor to your terminal with the -monitor-stdio option:

dtach -c /tmp/crypt kvm -boot d -cdrom lucid-desktop-amd64.iso -hda encrypted.qcow2 -m 512 -monitor stdio

It looks like this (in the terminal)


QEMU 0.11.0 monitor - type 'help' for more information
(qemu) cont
ide0-hd0 (encrypted.qcow2) is encrypted.
Password: ********
(qemu)

You then detach from the kvm session with Ctrl-\

This entry was posted in Linux and tagged , . Bookmark the permalink.

9 Responses to KVM how to use encrypted images

  1. Roeland says:
    March 26, 2010 at 1:51 am

    A short note: I found out it’s not strictly necessary to run convert if you intend to install an OS on the system directly after. Simpy create the encrypted image, and boot for the first time from an installer CD-image, like:

    qemu -cdrom ubuntu-14.4-desktop-i986_128.iso encrypted.qcow2

    Go to the monitor as you describe, enter ‘continue’, and specify the new passphrase for the first time. Since nothing has been written to the image yet, all subsequent writes will be ciphered with the new passphrase. You can then only boot the newly installed system using the same password.

  2. bodhi.zazen says:
    March 26, 2010 at 1:55 am

    Thank you for the clarification Roeland

    You are correct, the only need to convert would be to add a password.

  3. Pingback: Tweets that mention Shadows of epiphany » Blog Archive » KVM how to use encrypted images -- Topsy.com

  4. Pingback: Bodhi.Zazen: KVM how to use encrypted images | TuxWire

  5. Pingback: Links 28/3/2010: Sabayon 5.2 and GIMP Fun | Boycott Novell

  6. vincent says:
    January 13, 2011 at 11:04 am

    thanks for sharing this info. But i am curious about the way of sending a password to the qemu when i want to start my virtual machine in a script. I think that will be helpful if you want to start a VM which use encrypted images on remote host. Do you have any idea about that?

  7. bodhi.zazen says:
    January 13, 2011 at 5:01 pm

    You could try using expect , but I am not sure that will work.

    http://www.linuxjournal.com/article/3065

  8. Hans Gruber says:
    April 12, 2013 at 2:18 am

    Very nice, exactly what I was looking for! :D

  9. bodhi.zazen says:
    April 22, 2013 at 12:56 pm

    @Hans Gruber – You are most welcome

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>