problem
Don't allow vmsnapshot and volume snapshot operation on a vm which has encrypted volumes attached
versions
ACS 4.22
The steps to reproduce the bug
- Have a Cloudstack kvm host which supports volume encryption
- Create a compute offering and disk offering which has encryption enabled
-
Launch a vm with encrypted compute offering and data disk offering > vm launched successfullt
-
Take a vm snapshot of the vm
-
Stop the vm
-
Start the vm > Exception
2026-05-19 08:12:53,372 WARN [resource.wrapper.LibvirtStartCommandWrapper] (AgentRequest-Handler-2:[]) (logid:757a3937) LibvirtException org.libvirt.LibvirtException: internal error: Unexpected enum value 0 for virStorageEncryptionEngine
at org.libvirt.ErrorHandler.processError(Unknown Source)
at org.libvirt.ErrorHandler.processError(Unknown Source)
at org.libvirt.Connect.domainCreateXML(Unknown Source)
at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.startVM(LibvirtComputingResource.java:2241)
at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.startVM(LibvirtComputingResource.java:2210)
at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtStartCommandWrapper.execute(LibvirtStartCommandWrapper.java:91)
at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtStartCommandWrapper.execute(LibvirtStartCommandWrapper.java:52)
at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtRequestWrapper.execute(LibvirtRequestWrapper.java:78)
at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.executeRequest(LibvirtComputingResource.java:2280)
at com.cloud.agent.Agent.processRequest(Agent.java:813)
at com.cloud.agent.Agent$AgentRequestHandler.doTask(Agent.java:1295)
at com.cloud.utils.nio.Task.call(Task.java:83)
at com.cloud.utils.nio.Task.call(Task.java:29)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
- Try to destroy/expunge the vm >> Exception
2026-05-19 08:15:08,143 DEBUG [c.c.a.t.Request] (AgentManager-Handler-8:[]) (logid:) Seq 1-6388356071425053772: Processing: { Ans: , MgmtId: 32988351955983, via: 1, Ver: v1, Flags: 10, [{"com.cloud.agent.api.Answer":{"result":"false","details":"Exception: org.apache.cloudstack.utils.qemu.QemuImgException
Message: qemu-img: Could not open '/mnt/c2498341-cfff-3eee-86df-fff0fcae419d/7b84527f-6513-4138-a477-6187b880af77': Could not open backing file: Parameter 'encrypt.key-secret' is required for cipher
Stack: org.apache.cloudstack.utils.qemu.QemuImgException: qemu-img: Could not open '/mnt/c2498341-cfff-3eee-86df-fff0fcae419d/7b84527f-6513-4138-a477-6187b880af77': Could not open backing file: Parameter 'encrypt.key-secret' is required for cipher
at org.apache.cloudstack.utils.qemu.QemuImg.commit(QemuImg.java:871)
at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtMergeDiskOnlyVMSnapshotCommandWrapper.mergeDiskOnlySnapshotsForStoppedVM(LibvirtMergeDiskOnlyVMSnapshotCommandWrapper.java:86)
at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtMergeDiskOnlyVMSnapshotCommandWrapper.execute(LibvirtMergeDiskOnlyVMSnapshotCommandWrapper.java:62)
at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtMergeDiskOnlyVMSnapshotCommandWrapper.execute(LibvirtMergeDiskOnlyVMSnapshotCommandWrapper.java:51)
at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtRequestWrapper.execute(LibvirtRequestWrapper.java:78)
at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.executeRequest(LibvirtComputingResource.java:2280)
at com.cloud.agent.Agent.processRequest(Agent.java:813)
at com.cloud.agent.Agent$AgentRequestHandler.doTask(Agent.java:1295)
at com.cloud.utils.nio.Task.call(Task.java:83)
at com.cloud.utils.nio.Task.call(Task.java:29)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
2026-05-19 08:15:08,180 ERROR [c.c.a.ApiAsyncJobDispatcher] (API-Job-Executor-56:[ctx-5f20d751, job-219]) (logid:c1458150) Unexpected exception while executing org.apache.cloudstack.api.command.admin.vm.DestroyVMCmdByAdmin com.cloud.utils.exception.CloudRuntimeException: Failed to destroy vm with specified vmId
at com.cloud.vm.UserVmManagerImpl.destroyVm(UserVmManagerImpl.java:5999)
at com.cloud.vm.UserVmManagerImpl.destroyVm(UserVmManagerImpl.java:3545)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:569)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java
Currently, we disallow the following operations on encrypted volumes, and provide a exception message when user tries to perform the following operation
2026-05-19 08:23:10,479 ERROR [c.c.a.ApiServer] (qtp253011924-26:[ctx-fda2c601, ctx-8fb1e3bd]) (logid:5c23248f) unhandled exception executing api command: [Ljava.lang.String;@5a733241 java.lang.UnsupportedOperationException: Cannot create new volumes from encrypted volume snapshots
Try to revert volume snapshot which was created from an encrypted volume when the vm is in stopped state
Exception
logs
2026-05-19 08:35:01,120 DEBUG [o.a.c.s.s.SnapshotServiceImpl] (API-Job-Executor-69:[ctx-f8fad827, job-251, ctx-c5c1b411]) (logid:d410fd2d) revert snapshot failedcom.cloud.utils.exception.CloudRuntimeException: Unable to revert volume [volumeTO {"dataStore":"PrimaryDataStoreTO {\"id\":2,\"name\":\"ref-trl-11676-k-Mol8-kiran-chavala-kvm-pri2\",\"poolType\":\"NetworkFilesystem\",\"uuid\":\"100681f3-60a3-33de-a7d7-2f203d2e299e\"}","id":28,"name":"ROOT-20","path":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf","uuid":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf"}] to snapshot [SnapshotTO[datastore=NfsTO {"_role":"Image","_url":"NFS:\/\/10.0.32.4\/acs\/secondary\/ref-trl-11676-k-Mol8-kiran-chavala\/ref-trl-11676-k-Mol8-kiran-chavala-sec1","nfsVersion":null,"uuid":null}|volume=volumeTO {"dataStore":"PrimaryDataStoreTO {\"id\":2,\"name\":\"ref-trl-11676-k-Mol8-kiran-chavala-kvm-pri2\",\"poolType\":\"NetworkFilesystem\",\"uuid\":\"100681f3-60a3-33de-a7d7-2f203d2e299e\"}","id":28,"name":"ROOT-20","path":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf","uuid":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf"}|pathsnapshots/2/28/0c96fbe0-0149-4eef-b8c3-a34b8e99028d]] due to [qemu-img: Could not open 'driver=qcow2,file.filename=/mnt/f179ad17-99de-3f02-81ae-88f4dd0c11d7/snapshots/2/28/0c96fbe0-0149-4eef-b8c3-a34b8e99028d': Parameter 'encrypt.key-secret' is required for cipher].
2026-05-19 08:35:01,130 ERROR [c.c.a.ApiAsyncJobDispatcher] (API-Job-Executor-69:[ctx-f8fad827, job-251]) (logid:d410fd2d) Unexpected exception while executing org.apache.cloudstack.api.command.user.snapshot.RevertSnapshotCmd com.cloud.utils.exception.CloudRuntimeException: com.cloud.utils.exception.CloudRuntimeException: Unable to revert volume [volumeTO {"dataStore":"PrimaryDataStoreTO {\"id\":2,\"name\":\"ref-trl-11676-k-Mol8-kiran-chavala-kvm-pri2\",\"poolType\":\"NetworkFilesystem\",\"uuid\":\"100681f3-60a3-33de-a7d7-2f203d2e299e\"}","id":28,"name":"ROOT-20","path":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf","uuid":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf"}] to snapshot [SnapshotTO[datastore=NfsTO {"_role":"Image","_url":"NFS:\/\/10.0.32.4\/acs\/secondary\/ref-trl-11676-k-Mol8-kiran-chavala\/ref-trl-11676-k-Mol8-kiran-chavala-sec1","nfsVersion":null,"uuid":null}|volume=volumeTO {"dataStore":"PrimaryDataStoreTO {\"id\":2,\"name\":\"ref-trl-11676-k-Mol8-kiran-chavala-kvm-pri2\",\"poolType\":\"NetworkFilesystem\",\"uuid\":\"100681f3-60a3-33de-a7d7-2f203d2e299e\"}","id":28,"name":"ROOT-20","path":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf","uuid":"a7b4cdfc-a3a4-406a-8853-fa63f73992cf"}|pathsnapshots/2/28/0c96fbe0-0149-4eef-b8c3-a34b8e99028d]] due to [qemu-img: Could not open 'driver=qcow2,file.filename=/mnt/f179ad17-99de-3f02-81ae-88f4dd0c11d7/snapshots/2/28/0c96fbe0-0149-4eef-b8c3-a34b8e99028d': Parameter 'encrypt.key-secret' is required for cipher].
at org.apache.cloudstack.storage.snapshot.SnapshotServiceImpl.revertSnapshot(SnapshotServiceImpl.java:699)
at org.apache.cloudstack.storage.snapshot.DefaultSnapshotStrategy.revertSnapshot(DefaultSnapshotStrategy.java:519)
at com.cloud.storage.snapshot.SnapshotManagerImpl.revertSnapshot(SnapshotManagerImpl.java:405)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
Try to revert volume snapshot which was created from an encrypted volume when the vm is in stopped state
Exception
What to do about it?
Don't allow volume and vm snapshot operation on encrypted volumes
problem
Don't allow vmsnapshot and volume snapshot operation on a vm which has encrypted volumes attached
versions
ACS 4.22
The steps to reproduce the bug
Launch a vm with encrypted compute offering and data disk offering > vm launched successfullt
Take a vm snapshot of the vm
Stop the vm
Start the vm > Exception
Currently, we disallow the following operations on encrypted volumes, and provide a exception message when user tries to perform the following operation
Try to revert volume snapshot which was created from an encrypted volume when the vm is in stopped state
Exception
logs
Try to revert volume snapshot which was created from an encrypted volume when the vm is in stopped state
Exception
What to do about it?
Don't allow volume and vm snapshot operation on encrypted volumes