2@c man begin SYNOPSIS
   3@command{qemu-img} [@var{standard} @var{options}] @var{command} [@var{command} @var{options}]
   4@c man end
   5@end example
   7@c man begin DESCRIPTION
   8qemu-img allows you to create, convert and modify images offline. It can handle
   9all image formats supported by QEMU.
  11@b{Warning:} Never use qemu-img to modify images in use by a running virtual
  12machine or any other process; this may destroy the image. Also, be aware that
  13querying an image that is being modified by another process may encounter
  14inconsistent state.
  15@c man end
  17@c man begin OPTIONS
  19Standard options:
  20@table @option
  21@item -h, --help
  22Display this help and exit
  23@item -V, --version
  24Display version information and exit
  25@item -T, --trace [[enable=]@var{pattern}][,events=@var{file}][,file=@var{file}]
  26@findex --trace
  27@include qemu-option-trace.texi
  28@end table
  30The following commands are supported:
  32@include qemu-img-cmds.texi
  34Command parameters:
  35@table @var
  37@item filename
  38is a disk image filename
  40@item fmt
  41is the disk image format. It is guessed automatically in most cases. See below
  42for a description of the supported disk formats.
  44@item size
  45is the disk image size in bytes. Optional suffixes @code{k} or @code{K}
  46(kilobyte, 1024) @code{M} (megabyte, 1024k) and @code{G} (gigabyte, 1024M)
  47and T (terabyte, 1024G) are supported.  @code{b} is ignored.
  49@item output_filename
  50is the destination disk image filename
  52@item output_fmt
  53is the destination format
  55@item options
  56is a comma separated list of format specific options in a
  57name=value format. Use @code{-o ?} for an overview of the options supported
  58by the used format or see the format descriptions below for details.
  60@item snapshot_param
  61is param used for internal snapshot, format is
  62'snapshot.id=[ID],snapshot.name=[NAME]' or '[ID_OR_NAME]'
  64@end table
  66@table @option
  68@item --object @var{objectdef}
  69is a QEMU user creatable object definition. See the @code{qemu(1)} manual
  70page for a description of the object properties. The most common object
  71type is a @code{secret}, which is used to supply passwords and/or encryption
  74@item --image-opts
  75Indicates that the source @var{filename} parameter is to be interpreted as a
  76full option string, not a plain filename. This parameter is mutually
  77exclusive with the @var{-f} parameter.
  79@item --target-image-opts
  80Indicates that the @var{output_filename} parameter(s) are to be interpreted as
  81a full option string, not a plain filename. This parameter is mutually
  82exclusive with the @var{-O} parameters. It is currently required to also use
  83the @var{-n} parameter to skip image creation. This restriction may be relaxed
  84in a future release.
  86@item --force-share (-U)
  87If specified, @code{qemu-img} will open the image in shared mode, allowing
  88other QEMU processes to open it in write mode. For example, this can be used to
  89get the image information (with 'info' subcommand) when the image is used by a
  90running guest.  Note that this could produce inconsistent results because of
  91concurrent metadata changes, etc. This option is only allowed when opening
  92images in read-only mode.
  94@item --backing-chain
  95will enumerate information about backing files in a disk image chain. Refer
  96below for further description.
  98@item -c
  99indicates that target image must be compressed (qcow format only)
 101@item -h
 102with or without a command shows help and lists the supported formats
 104@item -p
 105display progress bar (compare, convert and rebase commands only).
 106If the @var{-p} option is not used for a command that supports it, the
 107progress is reported when the process receives a @code{SIGUSR1} or
 108@code{SIGINFO} signal.
 110@item -q
 111Quiet mode - do not print any output (except errors). There's no progress bar
 112in case both @var{-q} and @var{-p} options are used.
 114@item -S @var{size}
 115indicates the consecutive number of bytes that must contain only zeros
 116for qemu-img to create a sparse image during conversion. This value is rounded
 117down to the nearest 512 bytes. You may use the common size suffixes like
 118@code{k} for kilobytes.
 120@item -t @var{cache}
 121specifies the cache mode that should be used with the (destination) file. See
 122the documentation of the emulator's @code{-drive cache=...} option for allowed
 125@item -T @var{src_cache}
 126specifies the cache mode that should be used with the source file(s). See
 127the documentation of the emulator's @code{-drive cache=...} option for allowed
 130@end table
 132Parameters to snapshot subcommand:
 134@table @option
 136@item snapshot
 137is the name of the snapshot to create, apply or delete
 138@item -a
 139applies a snapshot (revert disk to saved state)
 140@item -c
 141creates a snapshot
 142@item -d
 143deletes a snapshot
 144@item -l
 145lists all snapshots in the given image
 146@end table
 148Parameters to compare subcommand:
 150@table @option
 152@item -f
 153First image format
 154@item -F
 155Second image format
 156@item -s
 157Strict mode - fail on different image size or sector allocation
 158@end table
 160Parameters to convert subcommand:
 162@table @option
 164@item -n
 165Skip the creation of the target volume
 166@item -m
 167Number of parallel coroutines for the convert process
 168@item -W
 169Allow out-of-order writes to the destination. This option improves performance,
 170but is only recommended for preallocated devices like host devices or other
 171raw block devices.
 172@item -C
 173Try to use copy offloading to move data from source image to target. This may
 174improve performance if the data is remote, such as with NFS or iSCSI backends,
 175but will not automatically sparsify zero sectors, and may result in a fully
 176allocated target image depending on the host support for getting allocation
 178@end table
 180Parameters to dd subcommand:
 182@table @option
 184@item bs=@var{block_size}
 185defines the block size
 186@item count=@var{blocks}
 187sets the number of input blocks to copy
 188@item if=@var{input}
 189sets the input file
 190@item of=@var{output}
 191sets the output file
 192@item skip=@var{blocks}
 193sets the number of input blocks to skip
 194@end table
 196Command description:
 198@table @option
 200@item amend [--object @var{objectdef}] [--image-opts] [-p] [-p] [-f @var{fmt}] [-t @var{cache}] -o @var{options} @var{filename}
 202Amends the image format specific @var{options} for the image file
 203@var{filename}. Not all file formats support this operation.
 205@item bench [-c @var{count}] [-d @var{depth}] [-f @var{fmt}] [--flush-interval=@var{flush_interval}] [-n] [--no-drain] [-o @var{offset}] [--pattern=@var{pattern}] [-q] [-s @var{buffer_size}] [-S @var{step_size}] [-t @var{cache}] [-w] [-U] @var{filename}
 207Run a simple sequential I/O benchmark on the specified image. If @code{-w} is
 208specified, a write test is performed, otherwise a read test is performed.
 210A total number of @var{count} I/O requests is performed, each @var{buffer_size}
 211bytes in size, and with @var{depth} requests in parallel. The first request
 212starts at the position given by @var{offset}, each following request increases
 213the current position by @var{step_size}. If @var{step_size} is not given,
 214@var{buffer_size} is used for its value.
 216If @var{flush_interval} is specified for a write test, the request queue is
 217drained and a flush is issued before new writes are made whenever the number of
 218remaining requests is a multiple of @var{flush_interval}. If additionally
 219@code{--no-drain} is specified, a flush is issued without draining the request
 220queue first.
 222If @code{-n} is specified, the native AIO backend is used if possible. On
 223Linux, this option only works if @code{-t none} or @code{-t directsync} is
 224specified as well.
 226For write tests, by default a buffer filled with zeros is written. This can be
 227overridden with a pattern byte specified by @var{pattern}.
 229@item check [--object @var{objectdef}] [--image-opts] [-q] [-f @var{fmt}] [--output=@var{ofmt}] [-r [leaks | all]] [-T @var{src_cache}] [-U] @var{filename}
 231Perform a consistency check on the disk image @var{filename}. The command can
 232output in the format @var{ofmt} which is either @code{human} or @code{json}.
 234If @code{-r} is specified, qemu-img tries to repair any inconsistencies found
 235during the check. @code{-r leaks} repairs only cluster leaks, whereas
 236@code{-r all} fixes all kinds of errors, with a higher risk of choosing the
 237wrong fix or hiding corruption that has already occurred.
 239Only the formats @code{qcow2}, @code{qed} and @code{vdi} support
 240consistency checks.
 242In case the image does not have any inconsistencies, check exits with @code{0}.
 243Other exit codes indicate the kind of inconsistency found or if another error
 244occurred. The following table summarizes all exit codes of the check subcommand:
 246@table @option
 248@item 0
 249Check completed, the image is (now) consistent
 250@item 1
 251Check not completed because of internal errors
 252@item 2
 253Check completed, image is corrupted
 254@item 3
 255Check completed, image has leaked clusters, but is not corrupted
 256@item 63
 257Checks are not supported by the image format
 259@end table
 261If @code{-r} is specified, exit codes representing the image state refer to the
 262state after (the attempt at) repairing it. That is, a successful @code{-r all}
 263will yield the exit code 0, independently of the image state before.
 265@item commit [--object @var{objectdef}] [--image-opts] [-q] [-f @var{fmt}] [-t @var{cache}] [-b @var{base}] [-d] [-p] @var{filename}
 267Commit the changes recorded in @var{filename} in its base image or backing file.
 268If the backing file is smaller than the snapshot, then the backing file will be
 269resized to be the same size as the snapshot.  If the snapshot is smaller than
 270the backing file, the backing file will not be truncated.  If you want the
 271backing file to match the size of the smaller snapshot, you can safely truncate
 272it yourself once the commit operation successfully completes.
 274The image @var{filename} is emptied after the operation has succeeded. If you do
 275not need @var{filename} afterwards and intend to drop it, you may skip emptying
 276@var{filename} by specifying the @code{-d} flag.
 278If the backing chain of the given image file @var{filename} has more than one
 279layer, the backing file into which the changes will be committed may be
 280specified as @var{base} (which has to be part of @var{filename}'s backing
 281chain). If @var{base} is not specified, the immediate backing file of the top
 282image (which is @var{filename}) will be used. Note that after a commit operation
 283all images between @var{base} and the top image will be invalid and may return
 284garbage data when read. For this reason, @code{-b} implies @code{-d} (so that
 285the top image stays valid).
 287@item compare [--object @var{objectdef}] [--image-opts] [-f @var{fmt}] [-F @var{fmt}] [-T @var{src_cache}] [-p] [-q] [-s] [-U] @var{filename1} @var{filename2}
 289Check if two images have the same content. You can compare images with
 290different format or settings.
 292The format is probed unless you specify it by @var{-f} (used for
 293@var{filename1}) and/or @var{-F} (used for @var{filename2}) option.
 295By default, images with different size are considered identical if the larger
 296image contains only unallocated and/or zeroed sectors in the area after the end
 297of the other image. In addition, if any sector is not allocated in one image
 298and contains only zero bytes in the second one, it is evaluated as equal. You
 299can use Strict mode by specifying the @var{-s} option. When compare runs in
 300Strict mode, it fails in case image size differs or a sector is allocated in
 301one image and is not allocated in the second one.
 303By default, compare prints out a result message. This message displays
 304information that both images are same or the position of the first different
 305byte. In addition, result message can report different image size in case
 306Strict mode is used.
 308Compare exits with @code{0} in case the images are equal and with @code{1}
 309in case the images differ. Other exit codes mean an error occurred during
 310execution and standard error output should contain an error message.
 311The following table sumarizes all exit codes of the compare subcommand:
 313@table @option
 315@item 0
 316Images are identical
 317@item 1
 318Images differ
 319@item 2
 320Error on opening an image
 321@item 3
 322Error on checking a sector allocation
 323@item 4
 324Error on reading data
 326@end table
 328@item convert [--object @var{objectdef}] [--image-opts] [--target-image-opts] [-U] [-C] [-c] [-p] [-q] [-n] [-f @var{fmt}] [-t @var{cache}] [-T @var{src_cache}] [-O @var{output_fmt}] [-B @var{backing_file}] [-o @var{options}] [-l @var{snapshot_param}] [-S @var{sparse_size}] [-m @var{num_coroutines}] [-W] @var{filename} [@var{filename2} [...]] @var{output_filename}
 330Convert the disk image @var{filename} or a snapshot @var{snapshot_param}
 331to disk image @var{output_filename} using format @var{output_fmt}. It can be optionally compressed (@code{-c}
 332option) or use any format specific options like encryption (@code{-o} option).
 334Only the formats @code{qcow} and @code{qcow2} support compression. The
 335compression is read-only. It means that if a compressed sector is
 336rewritten, then it is rewritten as uncompressed data.
 338Image conversion is also useful to get smaller image when using a
 339growable format such as @code{qcow}: the empty sectors are detected and
 340suppressed from the destination image.
 342@var{sparse_size} indicates the consecutive number of bytes (defaults to 4k)
 343that must contain only zeros for qemu-img to create a sparse image during
 344conversion. If @var{sparse_size} is 0, the source will not be scanned for
 345unallocated or zero sectors, and the destination image will always be
 346fully allocated.
 348You can use the @var{backing_file} option to force the output image to be
 349created as a copy on write image of the specified base image; the
 350@var{backing_file} should have the same content as the input's base image,
 351however the path, image format, etc may differ.
 353If a relative path name is given, the backing file is looked up relative to
 354the directory containing @var{output_filename}.
 356If the @code{-n} option is specified, the target volume creation will be
 357skipped. This is useful for formats such as @code{rbd} if the target
 358volume has already been created with site specific options that cannot
 359be supplied through qemu-img.
 361Out of order writes can be enabled with @code{-W} to improve performance.
 362This is only recommended for preallocated devices like host devices or other
 363raw block devices. Out of order write does not work in combination with
 364creating compressed images.
 366@var{num_coroutines} specifies how many coroutines work in parallel during
 367the convert process (defaults to 8).
 369@item create [--object @var{objectdef}] [-q] [-f @var{fmt}] [-b @var{backing_file}] [-F @var{backing_fmt}] [-u] [-o @var{options}] @var{filename} [@var{size}]
 371Create the new disk image @var{filename} of size @var{size} and format
 372@var{fmt}. Depending on the file format, you can add one or more @var{options}
 373that enable additional features of this format.
 375If the option @var{backing_file} is specified, then the image will record
 376only the differences from @var{backing_file}. No size needs to be specified in
 377this case. @var{backing_file} will never be modified unless you use the
 378@code{commit} monitor command (or qemu-img commit).
 380If a relative path name is given, the backing file is looked up relative to
 381the directory containing @var{filename}.
 383Note that a given backing file will be opened to check that it is valid. Use
 384the @code{-u} option to enable unsafe backing file mode, which means that the
 385image will be created even if the associated backing file cannot be opened. A
 386matching backing file must be created or additional options be used to make the
 387backing file specification valid when you want to use an image created this
 390The size can also be specified using the @var{size} option with @code{-o},
 391it doesn't need to be specified separately in this case.
 393@item dd [--image-opts] [-U] [-f @var{fmt}] [-O @var{output_fmt}] [bs=@var{block_size}] [count=@var{blocks}] [skip=@var{blocks}] if=@var{input} of=@var{output}
 395Dd copies from @var{input} file to @var{output} file converting it from
 396@var{fmt} format to @var{output_fmt} format.
 398The data is by default read and written using blocks of 512 bytes but can be
 399modified by specifying @var{block_size}. If count=@var{blocks} is specified
 400dd will stop reading input after reading @var{blocks} input blocks.
 402The size syntax is similar to dd(1)'s size syntax.
 404@item info [--object @var{objectdef}] [--image-opts] [-f @var{fmt}] [--output=@var{ofmt}] [--backing-chain] [-U] @var{filename}
 406Give information about the disk image @var{filename}. Use it in
 407particular to know the size reserved on disk which can be different
 408from the displayed size. If VM snapshots are stored in the disk image,
 409they are displayed too. The command can output in the format @var{ofmt}
 410which is either @code{human} or @code{json}.
 412If a disk image has a backing file chain, information about each disk image in
 413the chain can be recursively enumerated by using the option @code{--backing-chain}.
 415For instance, if you have an image chain like:
 418base.qcow2 <- snap1.qcow2 <- snap2.qcow2
 419@end example
 421To enumerate information about each disk image in the above chain, starting from top to base, do:
 424qemu-img info --backing-chain snap2.qcow2
 425@end example
 427@item map [-f @var{fmt}] [--output=@var{ofmt}] @var{filename}
 429Dump the metadata of image @var{filename} and its backing file chain.
 430In particular, this commands dumps the allocation state of every sector
 431of @var{filename}, together with the topmost file that allocates it in
 432the backing file chain.
 434Two option formats are possible.  The default format (@code{human})
 435only dumps known-nonzero areas of the file.  Known-zero parts of the
 436file are omitted altogether, and likewise for parts that are not allocated
 437throughout the chain.  @command{qemu-img} output will identify a file
 438from where the data can be read, and the offset in the file.  Each line
 439will include four fields, the first three of which are hexadecimal
 440numbers.  For example the first line of:
 442Offset          Length          Mapped to       File
 4430               0x20000         0x50000         /tmp/overlay.qcow2
 4440x100000        0x10000         0x95380000      /tmp/backing.qcow2
 445@end example
 447means that 0x20000 (131072) bytes starting at offset 0 in the image are
 448available in /tmp/overlay.qcow2 (opened in @code{raw} format) starting
 449at offset 0x50000 (327680).  Data that is compressed, encrypted, or
 450otherwise not available in raw format will cause an error if @code{human}
 451format is in use.  Note that file names can include newlines, thus it is
 452not safe to parse this output format in scripts.
 454The alternative format @code{json} will return an array of dictionaries
 455in JSON format.  It will include similar information in
 456the @code{start}, @code{length}, @code{offset} fields;
 457it will also include other more specific information:
 458@itemize @minus
 460whether the sectors contain actual data or not (boolean field @code{data};
 461if false, the sectors are either unallocated or stored as optimized
 462all-zero clusters);
 465whether the data is known to read as zero (boolean field @code{zero});
 468in order to make the output shorter, the target file is expressed as
 469a @code{depth}; for example, a depth of 2 refers to the backing file
 470of the backing file of @var{filename}.
 471@end itemize
 473In JSON format, the @code{offset} field is optional; it is absent in
 474cases where @code{human} format would omit the entry or exit with an error.
 475If @code{data} is false and the @code{offset} field is present, the
 476corresponding sectors in the file are not yet in use, but they are
 479For more information, consult @file{include/block/block.h} in QEMU's
 480source code.
 482@item measure [--output=@var{ofmt}] [-O @var{output_fmt}] [-o @var{options}] [--size @var{N} | [--object @var{objectdef}] [--image-opts] [-f @var{fmt}] [-l @var{snapshot_param}] @var{filename}]
 484Calculate the file size required for a new image.  This information can be used
 485to size logical volumes or SAN LUNs appropriately for the image that will be
 486placed in them.  The values reported are guaranteed to be large enough to fit
 487the image.  The command can output in the format @var{ofmt} which is either
 488@code{human} or @code{json}.
 490If the size @var{N} is given then act as if creating a new empty image file
 491using @command{qemu-img create}.  If @var{filename} is given then act as if
 492converting an existing image file using @command{qemu-img convert}.  The format
 493of the new file is given by @var{output_fmt} while the format of an existing
 494file is given by @var{fmt}.
 496A snapshot in an existing image can be specified using @var{snapshot_param}.
 498The following fields are reported:
 500required size: 524288
 501fully allocated size: 1074069504
 502@end example
 504The @code{required size} is the file size of the new image.  It may be smaller
 505than the virtual disk size if the image format supports compact representation.
 507The @code{fully allocated size} is the file size of the new image once data has
 508been written to all sectors.  This is the maximum size that the image file can
 509occupy with the exception of internal snapshots, dirty bitmaps, vmstate data,
 510and other advanced image format features.
 512@item snapshot [--object @var{objectdef}] [--image-opts] [-U] [-q] [-l | -a @var{snapshot} | -c @var{snapshot} | -d @var{snapshot}] @var{filename}
 514List, apply, create or delete snapshots in image @var{filename}.
 516@item rebase [--object @var{objectdef}] [--image-opts] [-U] [-q] [-f @var{fmt}] [-t @var{cache}] [-T @var{src_cache}] [-p] [-u] -b @var{backing_file} [-F @var{backing_fmt}] @var{filename}
 518Changes the backing file of an image. Only the formats @code{qcow2} and
 519@code{qed} support changing the backing file.
 521The backing file is changed to @var{backing_file} and (if the image format of
 522@var{filename} supports this) the backing file format is changed to
 523@var{backing_fmt}. If @var{backing_file} is specified as ``'' (the empty
 524string), then the image is rebased onto no backing file (i.e. it will exist
 525independently of any backing file).
 527If a relative path name is given, the backing file is looked up relative to
 528the directory containing @var{filename}.
 530@var{cache} specifies the cache mode to be used for @var{filename}, whereas
 531@var{src_cache} specifies the cache mode for reading backing files.
 533There are two different modes in which @code{rebase} can operate:
 534@table @option
 535@item Safe mode
 536This is the default mode and performs a real rebase operation. The new backing
 537file may differ from the old one and qemu-img rebase will take care of keeping
 538the guest-visible content of @var{filename} unchanged.
 540In order to achieve this, any clusters that differ between @var{backing_file}
 541and the old backing file of @var{filename} are merged into @var{filename}
 542before actually changing the backing file.
 544Note that the safe mode is an expensive operation, comparable to converting
 545an image. It only works if the old backing file still exists.
 547@item Unsafe mode
 548qemu-img uses the unsafe mode if @code{-u} is specified. In this mode, only the
 549backing file name and format of @var{filename} is changed without any checks
 550on the file contents. The user must take care of specifying the correct new
 551backing file, or the guest-visible content of the image will be corrupted.
 553This mode is useful for renaming or moving the backing file to somewhere else.
 554It can be used without an accessible old backing file, i.e. you can use it to
 555fix an image whose backing file has already been moved/renamed.
 556@end table
 558You can use @code{rebase} to perform a ``diff'' operation on two
 559disk images.  This can be useful when you have copied or cloned
 560a guest, and you want to get back to a thin image on top of a
 561template or base image.
 563Say that @code{base.img} has been cloned as @code{modified.img} by
 564copying it, and that the @code{modified.img} guest has run so there
 565are now some changes compared to @code{base.img}.  To construct a thin
 566image called @code{diff.qcow2} that contains just the differences, do:
 569qemu-img create -f qcow2 -b modified.img diff.qcow2
 570qemu-img rebase -b base.img diff.qcow2
 571@end example
 573At this point, @code{modified.img} can be discarded, since
 574@code{base.img + diff.qcow2} contains the same information.
 576@item resize [--object @var{objectdef}] [--image-opts] [-f @var{fmt}] [--preallocation=@var{prealloc}] [-q] [--shrink] @var{filename} [+ | -]@var{size}
 578Change the disk image as if it had been created with @var{size}.
 580Before using this command to shrink a disk image, you MUST use file system and
 581partitioning tools inside the VM to reduce allocated file systems and partition
 582sizes accordingly.  Failure to do so will result in data loss!
 584When shrinking images, the @code{--shrink} option must be given. This informs
 585qemu-img that the user acknowledges all loss of data beyond the truncated
 586image's end.
 588After using this command to grow a disk image, you must use file system and
 589partitioning tools inside the VM to actually begin using the new space on the
 592When growing an image, the @code{--preallocation} option may be used to specify
 593how the additional image area should be allocated on the host.  See the format
 594description in the @code{NOTES} section which values are allowed.  Using this
 595option may result in slightly more data being allocated than necessary.
 597@end table
 598@c man end
 601@c man begin NOTES
 602Supported image file formats:
 604@table @option
 605@item raw
 607Raw disk image format (default). This format has the advantage of
 608being simple and easily exportable to all other emulators. If your
 609file system supports @emph{holes} (for example in ext2 or ext3 on
 610Linux or NTFS on Windows), then only the written sectors will reserve
 611space. Use @code{qemu-img info} to know the real size used by the
 612image or @code{ls -ls} on Unix/Linux.
 614Supported options:
 615@table @code
 616@item preallocation
 617Preallocation mode (allowed values: @code{off}, @code{falloc}, @code{full}).
 618@code{falloc} mode preallocates space for image by calling posix_fallocate().
 619@code{full} mode preallocates space for image by writing zeros to underlying
 621@end table
 623@item qcow2
 624QEMU image format, the most versatile format. Use it to have smaller
 625images (useful if your filesystem does not supports holes, for example
 626on Windows), optional AES encryption, zlib based compression and
 627support of multiple VM snapshots.
 629Supported options:
 630@table @code
 631@item compat
 632Determines the qcow2 version to use. @code{compat=0.10} uses the
 633traditional image format that can be read by any QEMU since 0.10.
 634@code{compat=1.1} enables image format extensions that only QEMU 1.1 and
 635newer understand (this is the default). Amongst others, this includes zero
 636clusters, which allow efficient copy-on-read for sparse images.
 638@item backing_file
 639File name of a base image (see @option{create} subcommand)
 640@item backing_fmt
 641Image format of the base image
 642@item encryption
 643If this option is set to @code{on}, the image is encrypted with 128-bit AES-CBC.
 645The use of encryption in qcow and qcow2 images is considered to be flawed by
 646modern cryptography standards, suffering from a number of design problems:
 648@itemize @minus
 650The AES-CBC cipher is used with predictable initialization vectors based
 651on the sector number. This makes it vulnerable to chosen plaintext attacks
 652which can reveal the existence of encrypted data.
 654The user passphrase is directly used as the encryption key. A poorly
 655chosen or short passphrase will compromise the security of the encryption.
 657In the event of the passphrase being compromised there is no way to
 658change the passphrase to protect data in any qcow images. The files must
 659be cloned, using a different encryption passphrase in the new file. The
 660original file must then be securely erased using a program like shred,
 661though even this is ineffective with many modern storage technologies.
 663Initialization vectors used to encrypt sectors are based on the
 664guest virtual sector number, instead of the host physical sector. When
 665a disk image has multiple internal snapshots this means that data in
 666multiple physical sectors is encrypted with the same initialization
 667vector. With the CBC mode, this opens the possibility of watermarking
 668attacks if the attack can collect multiple sectors encrypted with the
 669same IV and some predictable data. Having multiple qcow2 images with
 670the same passphrase also exposes this weakness since the passphrase
 671is directly used as the key.
 672@end itemize
 674Use of qcow / qcow2 encryption is thus strongly discouraged. Users are
 675recommended to use an alternative encryption technology such as the
 676Linux dm-crypt / LUKS system.
 678@item cluster_size
 679Changes the qcow2 cluster size (must be between 512 and 2M). Smaller cluster
 680sizes can improve the image file size whereas larger cluster sizes generally
 681provide better performance.
 683@item preallocation
 684Preallocation mode (allowed values: @code{off}, @code{metadata}, @code{falloc},
 685@code{full}). An image with preallocated metadata is initially larger but can
 686improve performance when the image needs to grow. @code{falloc} and @code{full}
 687preallocations are like the same options of @code{raw} format, but sets up
 688metadata also.
 690@item lazy_refcounts
 691If this option is set to @code{on}, reference count updates are postponed with
 692the goal of avoiding metadata I/O and improving performance. This is
 693particularly interesting with @option{cache=writethrough} which doesn't batch
 694metadata updates. The tradeoff is that after a host crash, the reference count
 695tables must be rebuilt, i.e. on the next open an (automatic) @code{qemu-img
 696check -r all} is required, which may take some time.
 698This option can only be enabled if @code{compat=1.1} is specified.
 700@item nocow
 701If this option is set to @code{on}, it will turn off COW of the file. It's only
 702valid on btrfs, no effect on other file systems.
 704Btrfs has low performance when hosting a VM image file, even more when the guest
 705on the VM also using btrfs as file system. Turning off COW is a way to mitigate
 706this bad performance. Generally there are two ways to turn off COW on btrfs:
 707a) Disable it by mounting with nodatacow, then all newly created files will be
 708NOCOW. b) For an empty file, add the NOCOW file attribute. That's what this option
 711Note: this option is only valid to new or empty files. If there is an existing
 712file which is COW and has data blocks already, it couldn't be changed to NOCOW
 713by setting @code{nocow=on}. One can issue @code{lsattr filename} to check if
 714the NOCOW flag is set or not (Capital 'C' is NOCOW flag).
 716@end table
 718@item Other
 719QEMU also supports various other image file formats for compatibility with
 720older QEMU versions or other hypervisors, including VMDK, VDI, VHD (vpc), VHDX,
 721qcow1 and QED. For a full list of supported formats see @code{qemu-img --help}.
 722For a more detailed description of these formats, see the QEMU Emulation User
 725The main purpose of the block drivers for these formats is image conversion.
 726For running VMs, it is recommended to convert the disk images to either raw or
 727qcow2 in order to achieve good performance.
 728@end table
 731@c man end
 733@setfilename qemu-img
 734@settitle QEMU disk image utility
 736@c man begin SEEALSO
 737The HTML documentation of QEMU for more precise information and Linux
 738user mode emulator invocation.
 739@c man end
 741@c man begin AUTHOR
 742Fabrice Bellard
 743@c man end
 745@end ignore