Storage volume encryption XML format

Storage volume encryption XML

Storage volumes may be encrypted, the XML snippet described below is used to represent the details of the encryption. It can be used as a part of a domain or storage configuration.

The top-level tag of volume encryption specification is encryption, with a mandatory attribute format. Currently defined values of format are default and qcow. Each value of format implies some expectations about the content of the encryption tag. Other format values may be defined in the future.

The encryption tag can currently contain a sequence of secret tags, each with mandatory attributes type and uuid. The only currently defined value of type is passphrase. uuid refers to a secret known to libvirt. libvirt can use a secret value previously set using virSecretSetValue(), or, if supported by the particular volume format and driver, automatically generate a secret value at the time of volume creation, and store it using the specified uuid.

"default" format

<encryption type="default"/> can be specified only when creating a volume. If the volume is successfully created, the encryption formats, parameters and secrets will be auto-generated by libvirt and the attached encryption tag will be updated. The unmodified contents of the encryption tag can be used in later operations with the volume, or when setting up a domain that uses the volume.

"qcow" format

The qcow format specifies that the built-in encryption support in qcow- or qcow2-formatted volume images should be used. A single <secret type='passphrase'> element is expected. If the secret element is not present during volume creation, a secret is automatically generated and attached to the volume.


Here is a simple example, specifying use of the qcow format:

      <encryption format='qcow'>
         <secret type='passphrase' uuid='c1f11a6d-8c5d-4a3e-ac7a-4e171c5e0d4a' />