diff --git a/SOURCES/libvirt-qemu-Add-support-for-using-AES-secret-for-SCSI-hotplug.patch b/SOURCES/libvirt-qemu-Add-support-for-using-AES-secret-for-SCSI-hotplug.patch
new file mode 100644
index 0000000..b657770
--- /dev/null
+++ b/SOURCES/libvirt-qemu-Add-support-for-using-AES-secret-for-SCSI-hotplug.patch
@@ -0,0 +1,168 @@
+From d003f242c8dd06903146604442e633fc286f88ba Mon Sep 17 00:00:00 2001
+Message-Id: <d003f242c8dd06903146604442e633fc286f88ba@dist-git>
+From: Gema Gomez <gema.gomez-solano@linaro.org>
+Date: Wed, 21 Dec 2016 15:55:41 -0500
+Subject: [PATCH] qemu: Add support for using AES secret for SCSI hotplug
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1406442
+
+Support for virtio disks was added in commit id 'fceeeda', but not for
+SCSI drives. Add the secret for the server when hotplugging a SCSI drive.
+No need to make any adjustments for unplug since that's handled during
+the qemuDomainDetachDiskDevice call to qemuDomainRemoveDiskDevice in
+the qemuDomainDetachDeviceDiskLive switch.
+
+Added a test to/for the command line processing to show the command line
+options when adding a SCSI drive for the guest.
+
+(cherry picked from commit 0701abcb3ba78ba27cf1f47e01b3d9607ad37b72)
+
+Resolved conflict since upstream commit id '97ca6eed9a' is not present
+(just remove the drivealias changes)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1411398
+
+Signed-off-by: John Ferlan <jferlan@redhat.com>
+---
+ src/qemu/qemu_hotplug.c                             | 21 +++++++++++++++++++++
+ ...emuxml2argv-disk-drive-network-rbd-auth-AES.args | 14 ++++++++++++--
+ ...qemuxml2argv-disk-drive-network-rbd-auth-AES.xml | 13 +++++++++++++
+ tests/qemuxml2argvtest.c                            |  2 +-
+ 4 files changed, 47 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
+index 58d25ca0e..967c7c0b7 100644
+--- a/src/qemu/qemu_hotplug.c
++++ b/src/qemu/qemu_hotplug.c
+@@ -594,12 +594,15 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
+     char *devstr = NULL;
+     bool driveAdded = false;
+     bool encobjAdded = false;
++    bool secobjAdded = false;
+     int ret = -1;
+     int rv;
+     virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+     virJSONValuePtr encobjProps = NULL;
++    virJSONValuePtr secobjProps = NULL;
+     qemuDomainDiskPrivatePtr diskPriv;
+     qemuDomainSecretInfoPtr encinfo;
++    qemuDomainSecretInfoPtr secinfo;
+ 
+     if (qemuDomainPrepareDisk(driver, vm, disk, NULL, false) < 0)
+         goto cleanup;
+@@ -631,6 +634,12 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
+         goto error;
+ 
+     diskPriv = QEMU_DOMAIN_DISK_PRIVATE(disk);
++    secinfo = diskPriv->secinfo;
++    if (secinfo && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) {
++        if (qemuBuildSecretInfoProps(secinfo, &secobjProps) < 0)
++            goto error;
++    }
++
+     encinfo = diskPriv->encinfo;
+     if (encinfo && qemuBuildSecretInfoProps(encinfo, &encobjProps) < 0)
+         goto error;
+@@ -646,6 +655,15 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
+ 
+     qemuDomainObjEnterMonitor(driver, vm);
+ 
++    if (secobjProps) {
++        rv = qemuMonitorAddObject(priv->mon, "secret", secinfo->s.aes.alias,
++                                  secobjProps);
++        secobjProps = NULL; /* qemuMonitorAddObject consumes */
++        if (rv < 0)
++            goto exit_monitor;
++        secobjAdded = true;
++    }
++
+     if (encobjProps) {
+         rv = qemuMonitorAddObject(priv->mon, "secret", encinfo->s.aes.alias,
+                                   encobjProps);
+@@ -671,6 +689,7 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
+     ret = 0;
+ 
+  cleanup:
++    virJSONValueFree(secobjProps);
+     virJSONValueFree(encobjProps);
+     qemuDomainSecretDiskDestroy(disk);
+     VIR_FREE(devstr);
+@@ -684,6 +703,8 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
+         VIR_WARN("qemuMonitorAddDevice failed on %s (%s)", drivestr, devstr);
+ 
+     orig_err = virSaveLastError();
++    if (secobjAdded)
++        ignore_value(qemuMonitorDelObject(priv->mon, secinfo->s.aes.alias));
+     if (encobjAdded)
+         ignore_value(qemuMonitorDelObject(priv->mon, encinfo->s.aes.alias));
+     if (orig_err) {
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
+index dd66388f8..57b3d88a7 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
+@@ -18,6 +18,7 @@ file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
+ -monitor unix:/tmp/lib/domain--1-QEMUGuest1/monitor.sock,server,nowait \
+ -no-acpi \
+ -boot c \
++-device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x3 \
+ -usb \
+ -drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0 \
+ -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \
+@@ -28,5 +29,14 @@ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+ mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:6322,\
+ file.password-secret=virtio-disk0-secret0,format=raw,if=none,\
+ id=drive-virtio-disk0' \
+--device virtio-blk-pci,bus=pci.0,addr=0x3,drive=drive-virtio-disk0,\
+-id=virtio-disk0
++-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
++id=virtio-disk0 \
++-object secret,id=scsi0-0-0-0-secret0,\
++data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
++keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
++-drive 'file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\
++mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:\
++6322,file.password-secret=scsi0-0-0-0-secret0,format=raw,if=none,\
++id=drive-scsi0-0-0-0,cache=none' \
++-device scsi-disk,bus=scsi0.0,channel=0,scsi-id=0,lun=0,\
++drive=drive-scsi0-0-0-0,id=scsi0-0-0-0
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml
+index ac2e94209..885fb1127 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml
++++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml
+@@ -32,7 +32,20 @@
+       </source>
+       <target dev='vda' bus='virtio'/>
+     </disk>
++    <disk type='network' device='disk'>
++      <driver name='qemu' type='raw' cache='none'/>
++      <auth username='myname'>
++        <secret type='ceph' usage='mycluster_myname'/>
++      </auth>
++      <source protocol='rbd' name='pool/image'>
++        <host name='mon1.example.org' port='6321'/>
++        <host name='mon2.example.org' port='6322'/>
++        <host name='mon3.example.org' port='6322'/>
++      </source>
++      <target bus='scsi' dev='sda'/>
++    </disk>
+     <controller type='usb' index='0'/>
++    <controller type='scsi' index='0' model='virtio-scsi'/>
+     <controller type='ide' index='0'/>
+     <controller type='pci' index='0' model='pci-root'/>
+     <input type='mouse' bus='ps2'/>
+diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
+index f48632b70..dc5580e02 100644
+--- a/tests/qemuxml2argvtest.c
++++ b/tests/qemuxml2argvtest.c
+@@ -827,7 +827,7 @@ mymain(void)
+     DO_TEST("disk-drive-network-rbd-auth", NONE);
+ # ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
+     DO_TEST("disk-drive-network-rbd-auth-AES",
+-            QEMU_CAPS_OBJECT_SECRET);
++            QEMU_CAPS_OBJECT_SECRET, QEMU_CAPS_VIRTIO_SCSI);
+ # endif
+     DO_TEST("disk-drive-network-rbd-ipv6", NONE);
+     DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE);
+-- 
+2.11.1
+
diff --git a/SOURCES/libvirt-qemu-Don-t-assume-secret-provided-for-LUKS-encryption.patch b/SOURCES/libvirt-qemu-Don-t-assume-secret-provided-for-LUKS-encryption.patch
new file mode 100644
index 0000000..3c5466c
--- /dev/null
+++ b/SOURCES/libvirt-qemu-Don-t-assume-secret-provided-for-LUKS-encryption.patch
@@ -0,0 +1,114 @@
+From 84664353b00622571f099cf3306b317b7a67072f Mon Sep 17 00:00:00 2001
+Message-Id: <84664353b00622571f099cf3306b317b7a67072f@dist-git>
+From: John Ferlan <jferlan@redhat.com>
+Date: Tue, 3 Jan 2017 13:31:55 -0500
+Subject: [PATCH] qemu: Don't assume secret provided for LUKS encryption
+
+7.4: https://bugzilla.redhat.com/show_bug.cgi?id=1405269
+
+If a secret was not provided for what was determined to be a LUKS
+encrypted disk (during virStorageFileGetMetadata processing when
+called from qemuDomainDetermineDiskChain as a result of hotplug
+attach qemuDomainAttachDeviceDiskLive), then do not attempt to
+look it up (avoiding a libvirtd crash) and do not alter the format
+to "luks" when adding the disk; otherwise, the device_add would
+fail with a message such as:
+
+   "unable to execute QEMU command 'device_add': Property 'scsi-hd.drive'
+    can't find value 'drive-scsi0-0-0-0'"
+
+because of assumptions that when the format=luks that libvirt would have
+provided the secret to decrypt the volume.
+
+Access to unlock the volume will thus be left to the application.
+
+(cherry picked from commit 7f7d99048350935a394d07b98a13d7da9c4b0502)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1411394
+
+Signed-off-by: John Ferlan <jferlan@redhat.com>
+---
+ src/qemu/qemu_command.c |  3 +--
+ src/qemu/qemu_domain.c  | 15 +++++++++++++--
+ src/qemu/qemu_domain.h  |  3 +++
+ src/qemu/qemu_hotplug.c |  3 +--
+ 4 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index ade9e2524..bd01a0f76 100644
+--- a/src/qemu/qemu_command.c
++++ b/src/qemu/qemu_command.c
+@@ -1312,8 +1312,7 @@ qemuBuildDriveSourceStr(virDomainDiskDefPtr disk,
+     if (disk->src->format > 0 &&
+         disk->src->type != VIR_STORAGE_TYPE_DIR) {
+         const char *qemuformat = virStorageFileFormatTypeToString(disk->src->format);
+-        if (disk->src->encryption &&
+-            disk->src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS)
++        if (qemuDomainDiskHasEncryptionSecret(disk->src))
+             qemuformat = "luks";
+         virBufferAsprintf(buf, "format=%s,", qemuformat);
+     }
+diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
+index 3d2650fd5..b91db229f 100644
+--- a/src/qemu/qemu_domain.c
++++ b/src/qemu/qemu_domain.c
+@@ -1037,6 +1037,18 @@ qemuDomainSecretDiskCapable(virStorageSourcePtr src)
+ }
+ 
+ 
++bool
++qemuDomainDiskHasEncryptionSecret(virStorageSourcePtr src)
++{
++    if (!virStorageSourceIsEmpty(src) && src->encryption &&
++        src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS &&
++        src->encryption->nsecrets > 0)
++        return true;
++
++    return false;
++}
++
++
+ /* qemuDomainSecretDiskPrepare:
+  * @conn: Pointer to connection
+  * @priv: pointer to domain private object
+@@ -1075,8 +1087,7 @@ qemuDomainSecretDiskPrepare(virConnectPtr conn,
+         diskPriv->secinfo = secinfo;
+     }
+ 
+-    if (!virStorageSourceIsEmpty(src) && src->encryption &&
+-        src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) {
++    if (qemuDomainDiskHasEncryptionSecret(src)) {
+ 
+         if (VIR_ALLOC(secinfo) < 0)
+             return -1;
+diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
+index 66ffe5817..e6eda2388 100644
+--- a/src/qemu/qemu_domain.h
++++ b/src/qemu/qemu_domain.h
+@@ -698,6 +698,9 @@ void qemuDomainSecretDiskDestroy(virDomainDiskDefPtr disk)
+ bool qemuDomainSecretDiskCapable(virStorageSourcePtr src)
+     ATTRIBUTE_NONNULL(1);
+ 
++bool qemuDomainDiskHasEncryptionSecret(virStorageSourcePtr src)
++    ATTRIBUTE_NONNULL(1);
++
+ int qemuDomainSecretDiskPrepare(virConnectPtr conn,
+                                 qemuDomainObjPrivatePtr priv,
+                                 virDomainDiskDefPtr disk)
+diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
+index 967c7c0b7..b7302a5f9 100644
+--- a/src/qemu/qemu_hotplug.c
++++ b/src/qemu/qemu_hotplug.c
+@@ -3148,8 +3148,7 @@ qemuDomainRemoveDiskDevice(virQEMUDriverPtr driver,
+     /* Similarly, if this is possible a device using LUKS encryption, we
+      * can remove the luks object password too
+      */
+-    if (!virStorageSourceIsEmpty(disk->src) && disk->src->encryption &&
+-        disk->src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) {
++    if (qemuDomainDiskHasEncryptionSecret(disk->src)) {
+ 
+         if (!(encAlias =
+               qemuDomainGetSecretAESAlias(disk->info.alias, true))) {
+-- 
+2.11.1
+
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index 6eb0a69..c707107 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -217,7 +217,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 2.0.0
-Release: 10%{?dist}.4%{?extra_release}
+Release: 10%{?dist}.5%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -506,6 +506,8 @@ Patch274: libvirt-qemuDomainAttachNetDevice-Enable-multiqueue-for-vhost-user.pat
 Patch275: libvirt-qemuDomainAttachNetDevice-pass-mq-and-vectors-for-vhost-user-with-multiqueue.patch
 Patch276: libvirt-qemuDomainAttachNetDevice-Avoid-originalError-leak.patch
 Patch277: libvirt-qemu-snapshot-Resume-VM-after-live-snapshot.patch
+Patch278: libvirt-qemu-Add-support-for-using-AES-secret-for-SCSI-hotplug.patch
+Patch279: libvirt-qemu-Don-t-assume-secret-provided-for-LUKS-encryption.patch
 
 
 Requires: libvirt-daemon = %{version}-%{release}
@@ -2148,6 +2150,10 @@ exit 0
 
 
 %changelog
+* Fri Feb 10 2017 Jiri Denemark <jdenemar@redhat.com> - 2.0.0-10.el7_3.5
+- qemu: Add support for using AES secret for SCSI hotplug (rhbz#1411398)
+- qemu: Don't assume secret provided for LUKS encryption (rhbz#1411394)
+
 * Thu Jan  5 2017 Jiri Denemark <jdenemar@redhat.com> - 2.0.0-10.el7_3.4
 - qemuDomainAttachNetDevice: Avoid @originalError leak (rhbz#1404186)
 - qemu: snapshot: Resume VM after live snapshot (rhbz#1406765)