import LUKS encrypted diskimage

s3bbo

New Member
Oct 19, 2021
7
1
1
54
Hi,

I started migrating some kvm/qemu VMs from a bare metal / regular server (running debian) to my new proxmox server. So far it works quite well. Thanks for this really polished virtualization environment!

Today i wanted to migrate my Nextcloud VM. It consists of a disk image for the Debian OS and one LUKS encrypted disk image that only holds nextcloud user data and will be mounted at runtime so that nextcloud (it is a non-docker apache install) can access it.

I could import the nextcloud disk image (the OS) just fine, but when i import the data image, i get:

Code:
root@hostname:~# qm importdisk 160 nextcloud_data.img local
importing disk 'nextcloud_data.img' to VM 160 ...
Formatting '/var/lib/vz/images/160/vm-160-disk-1.raw', fmt=raw size=17177772032
transferred 0.0 B of 16.0 GiB (0.00%)
qemu-img: Could not open 'nextcloud_data.img': Parameter 'key-secret' is required for cipher
copy failed: command '/usr/bin/qemu-img convert -p -n -O raw nextcloud_data.img zeroinit:/var/lib/vz/images/160/vm-160-disk-1.raw' failed: exit code 1

I googled a bit and found that qemu-img can be passed the LUKS keys (altough i'm unsure how this exactly works). But how do i do it with the qm importdisk that is used as a wrapper around it?

Anyone done this before? Any workaround or solution?

thx
 
Hmm, that image is already a raw one? You could try to copy / move it directly where it is expected to be, e.g.: /var/lib/vz/images/160/vm-160-disk-1.raw.

Then run qm rescan which should cause it to pop up as unused disk in the VMs config. You can then attach the disk and configure it the way you want to.
I suspect that it should work, and you should be able to unlock it from inside the VM.
 
Hmm, that image is already a raw one? You could try to copy / move it directly where it is expected to be, e.g.: /var/lib/vz/images/160/vm-160-disk-1.raw.

Then run qm rescan which should cause it to pop up as unused disk in the VMs config. You can then attach the disk and configure it the way you want to.
I suspect that it should work, and you should be able to unlock it from inside the VM.
Thanks a lot for your answer.

Apparently it came 30minute late :|

Because i didn't receive an answer before (and did not know i could simply manually put the image there and rescan) I went the pragmatic approch and just decided to simply increase the OS disk image and instead of mounting the nextcloud data from an external LUKS disk image, moved it into the OS disk image. So i re-imported the OS disk image including "payload" and that worked (as written in first post).
(Backup wise it does not make a great difference, borg will find the data where it used to be and i do not see any difference in having 1x 32GB disk image instead of 2x16 - and as the OS image is also encrypted... )

But if i find some time, i might try what you suggested.

thanks again + BR
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!