X-Git-Url: http://git.annexia.org/?p=libguestfs.git;a=blobdiff_plain;f=src%2Fguestfs.pod;h=5a2e7a5e28cfb0a4c8676e66a0e92589b71dafc0;hp=2fa3acebe842b2695df9e5b91cd5c32be9686e4a;hb=2fd8c259d3daa88b0cdf98090bb57f3dbd178432;hpb=dbfd93b72f99ebdded394541a48177c415db8cbf diff --git a/src/guestfs.pod b/src/guestfs.pod index 2fa3ace..5a2e7a5 100644 --- a/src/guestfs.pod +++ b/src/guestfs.pod @@ -450,6 +450,37 @@ L after creating each file or directory. For more information about umask, see L. +=head2 ENCRYPTED DISKS + +Libguestfs allows you to access Linux guests which have been +encrypted using whole disk encryption that conforms to the +Linux Unified Key Setup (LUKS) standard. This includes +nearly all whole disk encryption systems used by modern +Linux guests. + +Use L to identify LUKS-encrypted block +devices (it returns the string C). + +Then open these devices by calling L. +Obviously you will require the passphrase! + +Opening a LUKS device creates a new device mapper device +called C (where C is the +string you supply to L). +Reads and writes to this mapper device are decrypted from and +encrypted to the underlying block device respectively. + +LVM volume groups on the device can be made visible by calling +L followed by L. +The logical volume(s) can now be mounted in the usual way. + +Use the reverse process to close a LUKS device. Unmount +any logical volumes on it, deactivate the volume groups +by caling C. +Then close the mapper device by calling +L on the C +device (I the underlying encrypted block device). + =head2 SPECIAL CONSIDERATIONS FOR WINDOWS GUESTS Libguestfs can mount NTFS partitions. It does this using the @@ -612,6 +643,27 @@ the error message was also unintuitive, but we have corrected this since. Like the Bourne shell, we should have used C to run commands. +=item guestfish megabyte modifiers don't work right on all commands + +In recent guestfish you can use C<1M> to mean 1 megabyte (and +similarly for other modifiers). What guestfish actually does is to +multiply the number part by the modifier part and pass the result to +the C API. However this doesn't work for a few APIs which aren't +expecting bytes, but are already expecting some other unit +(eg. megabytes). + +The most common is L. The guestfish command: + + lvcreate LV VG 100M + +does not do what you might expect. Instead because +L is already expecting megabytes, this tries to +create a 100 I (100 megabytes * megabytes) logical volume. +The error message you get from this is also a little obscure. + +This could be fixed in the generator by specially marking parameters +and return values which take bytes or other units. + =item Protocol limit of 256 characters for error messages This limit is both rather small and quite unnecessary. We should be @@ -654,6 +706,21 @@ L and L document how to do this. You might also consider mounting the disk image using our FUSE filesystem support (L). +=head2 KEYS AND PASSPHRASES + +Certain libguestfs calls take a parameter that contains sensitive key +material, passed in as a C string. + +In the future we would hope to change the libguestfs implementation so +that keys are L-ed into physical RAM, and thus can never end +up in swap. However this is I done at the moment, because of the +complexity of such an implementation. + +Therefore you should be aware that any key parameter you pass to +libguestfs might end up being written out to the swap partition. If +this is a concern, scrub the swap partition or don't use libguestfs on +encrypted devices. + =head1 CONNECTION MANAGEMENT =head2 guestfs_h *