Using qemu-img 2.8,How to convert raw image to a luks encryption qcow image?

Question

I am trying to convert a raw image file to a qcow2 with luks encryption.And I searched a lot, mostly it use the "-o encryption=on",but it will removed in future in qemu-img tools.

I am using the qemu-img 2.8 version,I try this command:

qemu-img convert --object secret,data=123456,id=sec0 -O luks -o key-secret=sec0 raw.img demo.luks

qemu-img: Could not open 'demo.luks': Parameter 'key-secret' is required for cipher

Is there someone know how to fix this issue?And if this luks encryption qcow2 is create successfully,Is is nessery to change the qemu-system-x86-64 paramter to run this image?

Answer 1

Unfortunately the 'convert' command in qemu-img does not support the syntax required to output luks format images, in any released QEMU version.

It current GIT master, there's a slight improvement - you can now use LUKS images as the target provided that you pre-create the LUKS image. First use 'qemu-img create' to create an empty luks image with no data written, then convert to it.

First I have some random qcow2 image I previously created

$ qemu-img create -f qcow2 demo.qcow2 10M

I've used it in a guest or otherwise written data to it, and now want to convert to luks. First I must create a luks image the exact same size:

$ qemu-img create -f luks --object secret,data=123,id=sec0  \
    -o key-secret=sec0 demo.luks  10M

Now I can extract the data from the qcow2 image, writing it into the luks image:

$ qemu-img convert --target-image-opts \
    --object secret,data=123,id=sec0 -f qcow2 demo.qcow2 -n \
    driver=luks,file.filename=demo.luks,key-secret=sec0

NB, as mentioned above this is functionality only in GIT master right now from

commit 305b4c60f200ee8e6267ac75f3f5b5d09fda1079
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Mon May 15 17:47:11 2017 +0100

    qemu-img: introduce --target-image-opts for 'convert' command

So the first release this will be available in is the next QEMU 2.10 release.