Qemu compression & encryption

Well after I gave up on one VPS I’ve had for a long time, I picked up a handful of $5 ones world wide… Some in nations I’ve been to, and others.. I’m not so sure I trust at all..

Which really calls into question just how much can you trust on the internet, esp when it’s data you can’t or seemingly don’t encrypt.. This is where Qemu’s qcow format can step in and provide either…

Or simply you are on a particular VPS, and you want to run something completely different, but you don’t want to be short of disk space.

From what I’ve found with qemu it’s quite easy, with only one snag for the whole thing. That being no matter if you decide to Compress or Encrypt, you can only CONVERT a disk into this schema, not create one.

So if you have an existing disk image, it’s a snap, otherwise, it’s a 2 step process that I’m sure is here for a good reason. Anyways the process for both goes like this:

qemu-img create -f qcow2 template.disk 2G
Formatting ‘template.disk’, fmt=qcow2 size=2147483648 encryption=off cluster_size=0

qemu-img convert template.disk -O qcow2 compressed.disk -c

qemu-img convert template.disk -O qcow2 encrypted.disk -e
Disk image ‘encrypted.disk’ is encrypted.
Password: password

Which naturally first creates a 2GB ‘template’ disk, which then we create a compressed disk, and an encrypted disk image. And it is here were the encryption will ask you for a password… Sadly it doesn’t verify your input, so make sure you type it in correctly. Thankfully the original isn’t destroyed so if you screw it up you can encrypt it again……

So now mounting the compressed disk is no different then before, however the encrypted will need a password, passed to the qemu monitor…

Now you may want to run this behind something like screen if you are on any *NIX or telnet into yourself if you are on windows to shove the service in the background to not rely on a console… So I’ve worked up this:

qemu -L pc-bios -hda encrypted.disk -monitor telnet:127.0.0.1:23,server

And for UNIX people who can run it interactivly because their stdio driver isn’t broken..

qemu -L pc-bios -hda encrypted.disk -monitor stdio

Now when you start either one, Qemu will start paused, and you must continue, then enter the disks password (if you have more then one disk, it’ll pause and ask for each disk!), then it’ll execute.

QEMU 0.11.1 monitor – type ‘help’ for more information
(qemu) c
ide0-hd0 (encrypted.disk) is encrypted.
Password: ********
(qemu)

And away you go… From what I understand qemu uses zlib for the compression, and AES for the encryption… Which for free is snazzy, so enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.