Description of problem: I have a disk image which is encrypted: $ qemu-img info diff.qcow2 Disk image 'diff.qcow2' is encrypted. password: ^C guestfish hangs on this: $ guestfish -a diff.qcow2 -i [never returns] Version-Release number of selected component (if applicable): 1.17.40 How reproducible: 100% Steps to Reproduce: 1. Create an encrypted qcow2 image: qemu-img create -o encryption test.qcow2 10M 2. Open it with guestfish or another virt tool: guestfish -a test.qcow2 run virt-df -a test.qcow2 etc. Actual results: It hangs. Expected results: Should fail predictably, or ask for a passphrase. Additional info:
This is the reproducer: qemu-img create -f qcow2 -o encryption test.qcow2 10M virt-df -a test.qcow2 The virt-df command hangs. If you enable debugging (LIBGUESTFS_DEBUG=1) then you will notice that it hangs just after qemu is started, which is where it is asking for the passphrase.
It turns out the encryption key is passed to qemu using the monitor, which we don't yet use. However we'll need to use it when we support hotplugging, although it's probably easier to reserve this feature for libvirt users.
https://www.berrange.com/posts/2015/03/17/qemu-qcow2-built-in-encryption-just-say-no-deprecated-now-to-be-deleted-soon/ tl;dr "So just to sum up. Do not ever use QCow2 built-in encryption as it exists today. It is unfixably broken by design. It is deprecated in QEMU 2.3.0 and is likely to be deleted in QEMU 2.4.0."