nasbackup.sh: add LUKS encryption for backup files via -e flag#12848
nasbackup.sh: add LUKS encryption for backup files via -e flag#12848jmsperu wants to merge 1 commit intoapache:4.20from
Conversation
Add -e/--encrypt flag that accepts a passphrase file path and encrypts all qcow2 backup files using LUKS encryption via qemu-img convert. The passphrase is read from a file (not command-line) to avoid exposure in process listings. Encryption is applied after backup completes, for both running and stopped VM backup paths. Encrypted backups use the standard qcow2+LUKS format supported by QEMU, so they can be decrypted with qemu-img or mounted directly by any QEMU/libvirt tooling that supports LUKS. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## 4.20 #12848 +/- ##
=========================================
Coverage 16.24% 16.25%
- Complexity 13411 13413 +2
=========================================
Files 5664 5664
Lines 500463 500463
Branches 60779 60779
=========================================
+ Hits 81308 81334 +26
+ Misses 410059 410035 -24
+ Partials 9096 9094 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Adds optional encryption for KVM NAS VM backups by post-processing generated QCOW2 images with LUKS encryption when a passphrase file is provided.
Changes:
- Introduce
encrypt_backup()helper that converts*.qcow2backups to LUKS-encrypted QCOW2 usingqemu-img. - Invoke encryption step after both running-VM and stopped-VM backup flows.
- Add
-e|--encrypt <passphrase file>CLI option and update usage text accordingly.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| if qemu-img convert -O qcow2 \ | ||
| --object "secret,id=sec0,file=$ENCRYPT_PASSFILE" \ | ||
| -o "encrypt.format=luks,encrypt.key-secret=sec0" \ | ||
| "$img" "$tmp_img" 2>&1 | tee -a "$logFile"; then |
| if [[ ! -f "$ENCRYPT_PASSFILE" ]]; then | ||
| echo "Encryption passphrase file not found: $ENCRYPT_PASSFILE" | ||
| exit 1 | ||
| fi |
|
Hi @jmsperu One more suggestion is that it would be easier for reviewers and testers to work on the PRs if they are combined into one PRs as they all deal with adding new flags to nasbackup.sh? Thanks again for your efforts. |
Summary
-e/--encrypt <passphrase-file>flag that encrypts backup qcow2 files using LUKS encryptionqemu-img convertwith--object secretandencrypt.format=luks— standard qcow2+LUKS format/proc/*/cmdlineMotivation
NAS backup targets are often shared storage accessible to multiple hosts and administrators. Unencrypted VM disk backups on NFS expose sensitive data (databases, credentials, user files) to anyone with NFS access.
LUKS-encrypted qcow2 is the standard QEMU encryption format, supported by all QEMU/libvirt tooling. The passphrase file can be managed by CloudStack and stored securely on the agent host (e.g. in
/etc/cloudstack/agent/), separate from the backup data on NFS.Design
-eflag by the CloudStack agentencrypt_backup()iterates over all.qcow2files in the backup directoryqemu-img convert -O qcow2 --object secret ... -o encrypt.format=luks ...qemu-img convertTest plan
-e— verify no encryption, identical to current behavior-e /path/to/passphrase— verify qcow2 files are LUKS-encrypted (qemu-img infoshowsencrypted: yes)qemu-img convert --object secret ...— verify data integrity