Skip to content

nasbackup.sh: add LUKS encryption for backup files via -e flag#12848

Open
jmsperu wants to merge 1 commit intoapache:4.20from
jmsperu:fix/nasbackup-encryption
Open

nasbackup.sh: add LUKS encryption for backup files via -e flag#12848
jmsperu wants to merge 1 commit intoapache:4.20from
jmsperu:fix/nasbackup-encryption

Conversation

@jmsperu
Copy link

@jmsperu jmsperu commented Mar 17, 2026
edited
Loading

Summary

  • Add -e/--encrypt <passphrase-file> flag that encrypts backup qcow2 files using LUKS encryption
  • Uses qemu-img convert with --object secret and encrypt.format=luks — standard qcow2+LUKS format
  • Passphrase is read from a file (not command-line) to avoid exposure in /proc/*/cmdline
  • Applied after backup completes, for both running and stopped VM paths
  • No encryption by default — existing behavior preserved

Motivation

NAS backup targets are often shared storage accessible to multiple hosts and administrators. Unencrypted VM disk backups on NFS expose sensitive data (databases, credentials, user files) to anyone with NFS access.

LUKS-encrypted qcow2 is the standard QEMU encryption format, supported by all QEMU/libvirt tooling. The passphrase file can be managed by CloudStack and stored securely on the agent host (e.g. in /etc/cloudstack/agent/), separate from the backup data on NFS.

Design

  • The passphrase file path is passed via -e flag by the CloudStack agent
  • encrypt_backup() iterates over all .qcow2 files in the backup directory
  • Each file is converted in-place: qemu-img convert -O qcow2 --object secret ... -o encrypt.format=luks ...
  • On encryption failure, the backup fails (no silent fallback to unencrypted)
  • For restore, the same passphrase file is needed to decrypt with qemu-img convert

Test plan

  • Backup without -e — verify no encryption, identical to current behavior
  • Backup with -e /path/to/passphrase — verify qcow2 files are LUKS-encrypted (qemu-img info shows encrypted: yes)
  • Backup with missing passphrase file — verify clean error and exit
  • Decrypt and restore an encrypted backup with qemu-img convert --object secret ... — verify data integrity
  • Verify encrypted backup cannot be read without passphrase

@jmsperu @claude
nasbackup.sh: add LUKS encryption for backup files via -e flag
55e3e1c 
Add -e/--encrypt flag that accepts a passphrase file path and encrypts
all qcow2 backup files using LUKS encryption via qemu-img convert.

The passphrase is read from a file (not command-line) to avoid exposure
in process listings. Encryption is applied after backup completes,
for both running and stopped VM backup paths.

Encrypted backups use the standard qcow2+LUKS format supported by
QEMU, so they can be decrypted with qemu-img or mounted directly
by any QEMU/libvirt tooling that supports LUKS.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@codecov
Copy link

codecov bot commented Mar 18, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 16.25%. Comparing base (61afb4c) to head (55e3e1c).

Additional details and impacted files 
@@            Coverage Diff            @@
##               4.20   #12848   +/-   ##
=========================================
  Coverage     16.24%   16.25%           
- Complexity    13411    13413    +2     
=========================================
  Files          5664     5664           
  Lines        500463   500463           
  Branches      60779    60779           
=========================================
+ Hits          81308    81334   +26     
+ Misses       410059   410035   -24     
+ Partials       9096     9094    -2
Flag Coverage Δ
uitests 4.15% <ø> (ø)
unittests 17.10% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sureshanaparti sureshanaparti requested a review from Copilot March 18, 2026 05:05
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds optional encryption for KVM NAS VM backups by post-processing generated QCOW2 images with LUKS encryption when a passphrase file is provided.

Changes:

  • Introduce encrypt_backup() helper that converts *.qcow2 backups to LUKS-encrypted QCOW2 using qemu-img.
  • Invoke encryption step after both running-VM and stopped-VM backup flows.
  • Add -e|--encrypt <passphrase file> CLI option and update usage text accordingly.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

scripts/vm/hypervisor/kvm/nasbackup.sh
Comment on lines +101 to +104
if qemu-img convert -O qcow2 \
--object "secret,id=sec0,file=$ENCRYPT_PASSFILE" \
-o "encrypt.format=luks,encrypt.key-secret=sec0" \
"$img" "$tmp_img" 2>&1 | tee -a "$logFile"; then
scripts/vm/hypervisor/kvm/nasbackup.sh
if [[ ! -f "$ENCRYPT_PASSFILE" ]]; then
echo "Encryption passphrase file not found: $ENCRYPT_PASSFILE"
exit 1
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@abh1sar abh1sar Awaiting requested review from abh1sar

@weizhouapache weizhouapache Awaiting requested review from weizhouapache

Assignees

No one assigned

Labels

component:backup component:kvm status:needs-testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jmsperu @sureshanaparti