Comment 6 for bug 1744758

A couple of things to note about the failing code path.

The error message "luks encryption requires encrypted secrets to be supported" is coming from qemuDomainSecretDiskPrepare() in src/qemu/qemu_domain.c: https://paste.ubuntu.com/26444342/

The call to qemuDomainSecretSetup() appears to be returning 0 (zero). Whether that means virCryptoHaveCipher() is returning True or False is hard to tell but based on gnutls being included in the build log I'd have to assume HAVE_GNUTLS_CIPHER_ENCRYPT is true.

What about the other checks in the first if statement in qemuDomainSecretSetup()? https://paste.ubuntu.com/26444411/ Pasting here as well. It seems as if one of these checks in the first if is failing and we don't get to the qemuDomainSecretAESSetup() call, but instead take the else path.

static int
qemuDomainSecretSetup(virConnectPtr conn,
                      qemuDomainObjPrivatePtr priv,
                      qemuDomainSecretInfoPtr secinfo,
                      const char *srcalias,
                      virSecretUsageType secretUsageType,
                      const char *username,
                      virSecretLookupTypeDefPtr seclookupdef,
                      bool isLuks)
{
    if (virCryptoHaveCipher(VIR_CRYPTO_CIPHER_AES256CBC) &&
        virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_OBJECT_SECRET) &&
        (secretUsageType == VIR_SECRET_USAGE_TYPE_CEPH ||
         secretUsageType == VIR_SECRET_USAGE_TYPE_VOLUME ||
         secretUsageType == VIR_SECRET_USAGE_TYPE_TLS)) {
        if (qemuDomainSecretAESSetup(conn, priv, secinfo, srcalias,
                                     secretUsageType, username,
                                     seclookupdef, isLuks) < 0)
            return -1;
    } else {
        if (qemuDomainSecretPlainSetup(conn, secinfo, secretUsageType,
                                       username, seclookupdef) < 0)
            return -1;
    }
    return 0;
}