Libvirt secrets are stored unencrypted on the disk.
With this series we want to start encrypting the secrets.
1. Introduce the GnuTLS decryption wrapper functions that
work exact opposite to the encryption wrappers. The new test
added works fine because during test execution, we use the mock
implementation of virRandomBytes while generating the iv and the key.
2. Add a new service called virt-secrets-init-encryption, that is
linked to the virtsecretd service. virtsecretd service only starts
after the new service generates a random encryption key.
3. Add a new secret.conf configuration file that helps user to set
a. secrets_encryption_key - allows the user to specify the encryption
key file path, in case the default key is not to be used.
b. encrypt_data - set to 0 or 1. If set to 1, then the newly
added secrets will be encrypted.
4. Add encryption scheme or cipher attribute that will allow us to
choose the last used cipher. New modes can be added to the enum.
5. Once we have the encryption key, and a reliable way to tell the daemon
what encryption scheme the secret object must use, we can encrypt the
secrets on disk and store them in <uuid>.<encryption_scheme> format.
It is important to note that if the encryption key is changed between
restarts, then the respective secret will not be loaded by the driver.
This is a sincere attempt to improve upon the already submitted patch
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/KE6GVZQ45JTYFTE54CT7DMONSO2W3ZPV/
Resolves: https://issues.redhat.com/browse/RHEL-7125
RFC: https://patchew.org/Libvirt/20251127072232.38426-1-armenon@redhat.com/
---
Changes in v1:
- Previously, encrypt_data was set to 1 regardless of what is present in the
secrets config file. This is now changed. encrypt_data is first read from the
config file, and it is set to 1 only if secrets_encryption_key is not NULL or
if systemd credential named "secrets-encryption-key" exists.
- Rename from secrets.conf to secret.conf. Move secrets_config.c from src/conf to src/secret/
- Add a special error code 'VIR_ERR_INVALID_ENCR_KEY_SECRET' for when the secret key length is invalid.
- Add the 2 directives to load credential into libvirtd service as well. Rename unit file
name from secret-init-encryption.in to virt-secret-init-encryption.service.in.
- Remove unnecessary configuration settings and make it inline.
Arun Menon (5):
util: Add support for GnuTLS decryption
secret: Set up default encryption secret key for the virtsecretd
service
secret: Add secret.conf configuration file and parse it
secret: Add encryptionSchemeType attribute to store ciphers
secret: Add functionality to load and save secrets in encrypted format
include/libvirt/virterror.h | 1 +
libvirt.spec.in | 7 +
po/POTFILES | 1 +
src/conf/secret_conf.c | 6 +
src/conf/secret_conf.h | 9 +
src/conf/virsecretobj.c | 184 ++++++++++++++----
src/conf/virsecretobj.h | 18 +-
src/libvirt_private.syms | 1 +
src/meson.build | 1 +
src/remote/libvirtd.service.in | 2 +
src/secret/libvirt_secrets.aug | 40 ++++
src/secret/meson.build | 34 ++++
src/secret/secret.conf.in | 14 ++
src/secret/secret_config.c | 171 ++++++++++++++++
src/secret/secret_config.h | 40 ++++
src/secret/secret_driver.c | 34 +++-
src/secret/test_libvirt_secrets.aug.in | 6 +
.../virt-secret-init-encryption.service.in | 7 +
src/secret/virtsecretd.service.extra.in | 8 +
src/util/vircrypto.c | 126 +++++++++++-
src/util/vircrypto.h | 8 +
src/util/virerror.c | 3 +
tests/vircryptotest.c | 65 +++++++
23 files changed, 736 insertions(+), 50 deletions(-)
create mode 100644 src/secret/libvirt_secrets.aug
create mode 100644 src/secret/secret.conf.in
create mode 100644 src/secret/secret_config.c
create mode 100644 src/secret/secret_config.h
create mode 100644 src/secret/test_libvirt_secrets.aug.in
create mode 100644 src/secret/virt-secret-init-encryption.service.in
--
2.51.1