Description of problem: size of luks-encrypted qcow2 image exceeds the required in qemu-img measure output. Version-Release number of selected component (if applicable): qemu-kvm-rhev-2.10.0-19.el7 kernel-3.10.0-843.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. use qemu-img measure to estimate the size of newly create qcow2 image. # qemu-img measure -O qcow2 --size 4G Or # qemu-img measure -O qcow2 --size 4G -o encrypt.format=luks 2. create one qcow2 encrypted with luks and a plain one. # qemu-img create --object secret,id=sec0,data=redhat -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 test1.qcow2 4G # qemu-img create -f qcow2 test2.qcow2 4G 3. get the size of those two images. # ll Actual results: 1. # qemu-img measure -O qcow2 --size 4G required size: 917504 fully allocated size: 4295884800 # qemu-img measure -O qcow2 --size 4G -o encrypt.format=luks required size: 917504 fully allocated size: 4295884800 3. # ll ... -rw-r--r-- 1 root root 2359296 Feb 7 02:45 test1.qcow2 -rw-r--r-- 1 root root 196672 Feb 7 02:45 test2.qcow2 ... luks encrypted qcow2: test1.qcow2 is about 2.3M in size, which exceeds the required size: 917504 - 0.87M. The estimation is 1/3 of the actual size allocated. Expected results: qemu-img should support size estimation of luks-encrypted image thus the actual size allocated by luks-encrypted image should be smaller than the estimated. Or # qemu-img measure -O qcow2 --size 4G -o encrypt.format=luks should prompt info that suggests this is not supported. Additional info:
The LUKS header has a couple of MB approx size overhead. The size is independent of the overall file size, but can vary depending on crypto parameters via a complex formula luks->header.payload_offset = (QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / QCRYPTO_BLOCK_LUKS_SECTOR_SIZE) + (ROUND_UP(DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE), (QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) * QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); and in qcow2 that then needs to be rounded up to nearest cluster size. IOW, to get this info reported accurately, we would need to expose some API in the internal crypto code, upto the block layer. The user would also need to set their desired crypto options (cipher, keysize, etc).