3 # QAPI crypto definitions
6 # QCryptoTLSCredsEndpoint:
8 # The type of network endpoint that will be using the credentials.
9 # Most types of credential require different setup / structures
10 # depending on whether they will be used in a server versus a
13 # @client: the network endpoint is acting as the client
15 # @server: the network endpoint is acting as the server
19 { 'enum': 'QCryptoTLSCredsEndpoint',
20 'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
21 'data': ['client', 'server']}
25 # QCryptoSecretFormat:
27 # The data format that the secret is provided in
29 # @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences can be used
30 # @base64: arbitrary base64 encoded binary data
33 { 'enum': 'QCryptoSecretFormat',
34 'prefix': 'QCRYPTO_SECRET_FORMAT',
35 'data': ['raw', 'base64']}
39 # QCryptoHashAlgorithm:
41 # The supported algorithms for computing content digests
43 # @md5: MD5. Should not be used in any new code, legacy compat only
44 # @sha1: SHA-1. Should not be used in any new code, legacy compat only
45 # @sha224: SHA-224. (since 2.7)
46 # @sha256: SHA-256. Current recommended strong hash.
47 # @sha384: SHA-384. (since 2.7)
48 # @sha512: SHA-512. (since 2.7)
49 # @ripemd160: RIPEMD-160. (since 2.7)
52 { 'enum': 'QCryptoHashAlgorithm',
53 'prefix': 'QCRYPTO_HASH_ALG',
54 'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']}
58 # QCryptoCipherAlgorithm:
60 # The supported algorithms for content encryption ciphers
62 # @aes-128: AES with 128 bit / 16 byte keys
63 # @aes-192: AES with 192 bit / 24 byte keys
64 # @aes-256: AES with 256 bit / 32 byte keys
65 # @des-rfb: RFB specific variant of single DES. Do not use except in VNC.
66 # @cast5-128: Cast5 with 128 bit / 16 byte keys
67 # @serpent-128: Serpent with 128 bit / 16 byte keys
68 # @serpent-192: Serpent with 192 bit / 24 byte keys
69 # @serpent-256: Serpent with 256 bit / 32 byte keys
70 # @twofish-128: Twofish with 128 bit / 16 byte keys
71 # @twofish-192: Twofish with 192 bit / 24 byte keys
72 # @twofish-256: Twofish with 256 bit / 32 byte keys
75 { 'enum': 'QCryptoCipherAlgorithm',
76 'prefix': 'QCRYPTO_CIPHER_ALG',
77 'data': ['aes-128', 'aes-192', 'aes-256',
80 'serpent-128', 'serpent-192', 'serpent-256',
81 'twofish-128', 'twofish-192', 'twofish-256']}
87 # The supported modes for content encryption ciphers
89 # @ecb: Electronic Code Book
90 # @cbc: Cipher Block Chaining
91 # @xts: XEX with tweaked code book and ciphertext stealing
94 { 'enum': 'QCryptoCipherMode',
95 'prefix': 'QCRYPTO_CIPHER_MODE',
96 'data': ['ecb', 'cbc', 'xts']}
100 # QCryptoIVGenAlgorithm:
102 # The supported algorithms for generating initialization
103 # vectors for full disk encryption. The 'plain' generator
104 # should not be used for disks with sector numbers larger
105 # than 2^32, except where compatibility with pre-existing
106 # Linux dm-crypt volumes is required.
108 # @plain: 64-bit sector number truncated to 32-bits
109 # @plain64: 64-bit sector number
110 # @essiv: 64-bit sector number encrypted with a hash of the encryption key
113 { 'enum': 'QCryptoIVGenAlgorithm',
114 'prefix': 'QCRYPTO_IVGEN_ALG',
115 'data': ['plain', 'plain64', 'essiv']}
118 # QCryptoBlockFormat:
120 # The supported full disk encryption formats
122 # @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only
123 # for liberating data from old images.
124 # @luks: LUKS encryption format. Recommended for new images
128 { 'enum': 'QCryptoBlockFormat',
129 # 'prefix': 'QCRYPTO_BLOCK_FORMAT',
130 'data': ['qcow', 'luks']}
133 # QCryptoBlockOptionsBase:
135 # The common options that apply to all full disk
138 # @format: the encryption format
142 { 'struct': 'QCryptoBlockOptionsBase',
143 'data': { 'format': 'QCryptoBlockFormat' }}
146 # QCryptoBlockOptionsQCow:
148 # The options that apply to QCow/QCow2 AES-CBC encryption format
150 # @key-secret: #optional the ID of a QCryptoSecret object providing the
151 # decryption key. Mandatory except when probing image for
156 { 'struct': 'QCryptoBlockOptionsQCow',
157 'data': { '*key-secret': 'str' }}
160 # QCryptoBlockOptionsLUKS:
162 # The options that apply to LUKS encryption format
164 # @key-secret: #optional the ID of a QCryptoSecret object providing the
165 # decryption key. Mandatory except when probing image for
169 { 'struct': 'QCryptoBlockOptionsLUKS',
170 'data': { '*key-secret': 'str' }}
174 # QCryptoBlockCreateOptionsLUKS:
176 # The options that apply to LUKS encryption format initialization
178 # @cipher-alg: #optional the cipher algorithm for data encryption
179 # Currently defaults to 'aes'.
180 # @cipher-mode: #optional the cipher mode for data encryption
181 # Currently defaults to 'cbc'
182 # @ivgen-alg: #optional the initialization vector generator
183 # Currently defaults to 'essiv'
184 # @ivgen-hash-alg: #optional the initialization vector generator hash
185 # Currently defaults to 'sha256'
186 # @hash-alg: #optional the master key hash algorithm
187 # Currently defaults to 'sha256'
190 { 'struct': 'QCryptoBlockCreateOptionsLUKS',
191 'base': 'QCryptoBlockOptionsLUKS',
192 'data': { '*cipher-alg': 'QCryptoCipherAlgorithm',
193 '*cipher-mode': 'QCryptoCipherMode',
194 '*ivgen-alg': 'QCryptoIVGenAlgorithm',
195 '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
196 '*hash-alg': 'QCryptoHashAlgorithm'}}
200 # QCryptoBlockOpenOptions:
202 # The options that are available for all encryption formats
203 # when opening an existing volume
207 { 'union': 'QCryptoBlockOpenOptions',
208 'base': 'QCryptoBlockOptionsBase',
209 'discriminator': 'format',
210 'data': { 'qcow': 'QCryptoBlockOptionsQCow',
211 'luks': 'QCryptoBlockOptionsLUKS' } }
215 # QCryptoBlockCreateOptions:
217 # The options that are available for all encryption formats
218 # when initializing a new volume
222 { 'union': 'QCryptoBlockCreateOptions',
223 'base': 'QCryptoBlockOptionsBase',
224 'discriminator': 'format',
225 'data': { 'qcow': 'QCryptoBlockOptionsQCow',
226 'luks': 'QCryptoBlockCreateOptionsLUKS' } }