Storage volume encryption XML format
Storage volume encryption XML
Storage volumes may be encrypted, the XML snippet described below is used to represent the details of the encryption. It can be used as a part of a domain or storage configuration.
The top-level tag of volume encryption specification
is encryption
, with a mandatory
attribute format
. Currently defined values
of format
are default
and qcow
.
Each value of format
implies some expectations about the
content of the encryption
tag. Other format values may be
defined in the future.
The encryption
tag can currently contain a sequence of
secret
tags, each with mandatory attributes type
and uuid
. The only currently defined value of
type
is passphrase
. uuid
refers to a secret known to libvirt. libvirt can use a secret value
previously set using virSecretSetValue()
, or, if supported
by the particular volume format and driver, automatically generate a
secret value at the time of volume creation, and store it using the
specified uuid
.
"default" format
<encryption type="default"/>
can be specified only
when creating a volume. If the volume is successfully created, the
encryption formats, parameters and secrets will be auto-generated by
libvirt and the attached encryption
tag will be updated.
The unmodified contents of the encryption
tag can be used
in later operations with the volume, or when setting up a domain that
uses the volume.
"qcow" format
The qcow
format specifies that the built-in encryption
support in qcow
- or qcow2
-formatted volume
images should be used. A single
<secret type='passphrase'>
element is expected. If
the secret
element is not present during volume creation,
a secret is automatically generated and attached to the volume.
Example
Here is a simple example, specifying use of the qcow
format:
<encryption format='qcow'> <secret type='passphrase' uuid='c1f11a6d-8c5d-4a3e-ac7a-4e171c5e0d4a' /> </encryption>