Summary

• Add -e/--encrypt <passphrase-file> flag that encrypts backup qcow2 files using LUKS encryption
• Uses qemu-img convert with --object secret and encrypt.format=luks — standard qcow2+LUKS format
• Passphrase is read from a file (not command-line) to avoid exposure in /proc/*/cmdline
• Applied after backup completes, for both running and stopped VM paths
• No encryption by default — existing behavior preserved

Motivation

NAS backup targets are often shared storage accessible to multiple hosts and administrators. Unencrypted VM disk backups on NFS expose sensitive data (databases, credentials, user files) to anyone with NFS access.

LUKS-encrypted qcow2 is the standard QEMU encryption format, supported by all QEMU/libvirt tooling. The passphrase file can be managed by CloudStack and stored securely on the agent host (e.g. in /etc/cloudstack/agent/), separate from the backup data on NFS.

Design

• The passphrase file path is passed via -e flag by the CloudStack agent
• encrypt_backup() iterates over all .qcow2 files in the backup directory
• Each file is converted in-place: qemu-img convert -O qcow2 --object secret ... -o encrypt.format=luks ...
• On encryption failure, the backup fails (no silent fallback to unencrypted)
• For restore, the same passphrase file is needed to decrypt with qemu-img convert

Test plan

• Backup without -e — verify no encryption, identical to current behavior
• Backup with -e /path/to/passphrase — verify qcow2 files are LUKS-encrypted (qemu-img info shows encrypted: yes)
• Backup with missing passphrase file — verify clean error and exit
• Decrypt and restore an encrypted backup with qemu-img convert --object secret ... — verify data integrity
• Verify encrypted backup cannot be read without passphrase