1. Patchew
  2. Libvirt
  3. View series

[RFC 0/4] cover: RFE libvirt secret encryption on disk

Arun Menon via Devel posted 4 patches 1 week ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20251113133223.32729-1-armenon@redhat.com
There is a newer version of this series
libvirt.spec.in                         |   1 +
src/conf/virsecretobj.c                 |  13 ++
src/conf/virsecretobj.h                 |   7 +
src/libvirt_private.syms                |   3 +
src/secret/meson.build                  |   7 +
src/secret/secret_driver.c              | 168 +++++++++++++++++++++++-
src/secret/secrets.conf.in              |  14 ++
src/secret/virtsecretd.service.extra.in |   8 ++
src/util/vircrypto.c                    | 130 +++++++++++++++++-
src/util/vircrypto.h                    |   8 ++
tests/vircryptotest.c                   |  65 +++++++++
11 files changed, 420 insertions(+), 4 deletions(-)
create mode 100644 src/secret/secrets.conf.in
[RFC 0/4] cover: RFE libvirt secret encryption on disk
Posted by Arun Menon via Devel 1 week ago 
Libvirt secrets are stored unencrypted on the disk.
With this series we want to start encrypting the secrets.

First we introduce a secrets.conf file that has 2 configuration
settings.
1. encrypt_data - This can be set to 0 or 1. If it is set to 1 then
   we encrypt the secrets. We recommend to keep this as the default
   setting.
2. master_encryption_key - This allows the user to set the path of
   the encryption file.

The secrets.conf file is parsed during secrets driver initialization
and accordingly the secrets are stored on the disk.

By default the secrets driver will look into the CREDENTIALS_DIRECTORY
environment variable in systemd. The systemd unit file is configured
with a pre configured key using the SetCredentialEncrypted directive.

This encrypted secret key is provided to the virtsecretd on service
activation. If this file is not available, then the virtsecretd driver
will check the master_encryption_key configuration in secrets.conf file,
provided it is made available by the user.

A boolean flag called value_encrypted is added to the secrets object, to
indicate whether it is encrypted or not. This is not stored on the disk yet.
It is important to add this functionality so that the secrets service
behaves properly across restarts.

This is a sincere attempt to improve upon the already submitted patch
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/KE6GVZQ45JTYFTE54CT7DMONSO2W3ZPV/

Resolves: https://issues.redhat.com/browse/RHEL-7125

Arun Menon (4):
  util: Add support for GnuTLS decryption
  secret: Set up default encrypted master key for the virtsecretd
    service
  secret: Add secrets.conf configuration file and parse it
  secret: Add functionality to load and save secrets in encrypted format

 libvirt.spec.in                         |   1 +
 src/conf/virsecretobj.c                 |  13 ++
 src/conf/virsecretobj.h                 |   7 +
 src/libvirt_private.syms                |   3 +
 src/secret/meson.build                  |   7 +
 src/secret/secret_driver.c              | 168 +++++++++++++++++++++++-
 src/secret/secrets.conf.in              |  14 ++
 src/secret/virtsecretd.service.extra.in |   8 ++
 src/util/vircrypto.c                    | 130 +++++++++++++++++-
 src/util/vircrypto.h                    |   8 ++
 tests/vircryptotest.c                   |  65 +++++++++
 11 files changed, 420 insertions(+), 4 deletions(-)
 create mode 100644 src/secret/secrets.conf.in

-- 
2.51.1

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.