Document that use of guest virtual sector numbers as the basis for the initialization vectors is a potential weakness, when combined with internal snapshots or multiple images using the same passphrase.
Signed-off-by: Daniel P. Berrange <[email protected]> --- qemu-img.texi | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/qemu-img.texi b/qemu-img.texi index 174aae3..8efcf89 100644 --- a/qemu-img.texi +++ b/qemu-img.texi @@ -554,6 +554,15 @@ change the passphrase to protect data in any qcow images. The files must be cloned, using a different encryption passphrase in the new file. The original file must then be securely erased using a program like shred, though even this is ineffective with many modern storage technologies. +@item Initialization vectors used to encrypt sectors are based on the +guest virtual sector number, instead of the host physical sector. When +a disk image has multiple internal snapshots this means that data in +multiple physical sectors is encrypted with the same initialization +vector. With the CBC mode, this opens the possibility of watermarking +attacks if the attack can collect multiple sectors encrypted with the +same IV and some predictable data. Having multiple qcow2 images with +the same passphrase also exposes this weakness since the passphrase +is directly used as the key. @end itemize Use of qcow / qcow2 encryption is thus strongly discouraged. Users are -- 2.9.3
