1. Patchew
  2. Libvirt
  3. View series

[PATCH v2 0/5] cover: RFE libvirt secret encryption on disk

Arun Menon via Devel posted 5 patches 1 month, 3 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20251216065210.9297-1-armenon@redhat.com
There is a newer version of this series
include/libvirt/virterror.h                   |   1 +
libvirt.spec.in                               |   7 +
po/POTFILES                                   |   1 +
src/conf/virsecretobj.c                       | 183 ++++++++++++++----
src/conf/virsecretobj.h                       |  18 +-
src/libvirt_private.syms                      |   1 +
src/meson.build                               |   1 +
src/remote/libvirtd.service.in                |   4 +
src/secret/libvirt_secrets.aug                |  40 ++++
src/secret/meson.build                        |  31 +++
src/secret/secret.conf.in                     |  14 ++
src/secret/secret_config.c                    | 179 +++++++++++++++++
src/secret/secret_config.h                    |  40 ++++
src/secret/secret_driver.c                    |  34 +++-
src/secret/test_libvirt_secrets.aug.in        |   6 +
.../virt-secret-init-encryption.service.in    |   8 +
src/secret/virtsecretd.service.extra.in       |   8 +
src/util/vircrypto.c                          | 126 +++++++++++-
src/util/vircrypto.h                          |   8 +
src/util/virerror.c                           |   3 +
tests/vircryptotest.c                         |  65 +++++++
21 files changed, 728 insertions(+), 50 deletions(-)
create mode 100644 src/secret/libvirt_secrets.aug
create mode 100644 src/secret/secret.conf.in
create mode 100644 src/secret/secret_config.c
create mode 100644 src/secret/secret_config.h
create mode 100644 src/secret/test_libvirt_secrets.aug.in
create mode 100644 src/secret/virt-secret-init-encryption.service.in
[PATCH v2 0/5] cover: RFE libvirt secret encryption on disk
Posted by Arun Menon via Devel 1 month, 3 weeks ago 
Libvirt secrets are stored unencrypted on the disk.
With this series we want to start encrypting the secrets.

1. Introduce the GnuTLS decryption wrapper functions that
   work exact opposite to the encryption wrappers.

2. Add a new service called virt-secrets-init-encryption, that is
   linked to the virtsecretd and libvirtd service.
   virtsecretd and libvirtd services only starts
   after the new service generates a random encryption key.

3. Add a new secret.conf configuration file that helps user to set
   a. secrets_encryption_key - allows the user to specify the encryption
      key file path, in case the default key is not to be used.
   b. encrypt_data - set to 0 or 1. If set to 1, then the newly
      added secrets will be encrypted.

4. Rename the file name attribute in virSecretObj structure to secretValueFile.

5. Once we have the encryption key, and a reliable way to tell the daemon
   what encryption scheme the secret object is using, we can encrypt the
   secrets on disk and store them in <uuid>.<encryption_scheme> format.
   It is important to note that if the encryption key is changed between
   restarts, then the respective secret will not be loaded by the driver.

This is a sincere attempt to improve upon the already submitted patch
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/KE6GVZQ45JTYFTE54CT7DMONSO2W3ZPV/

Resolves: https://issues.redhat.com/browse/RHEL-7125

---
Changes in v2:
- Fixed a regression in the decryption logic. ciphertext length was
  incorrectly calculated.
- Removed virSecretEncryptionScheme enum. It is no longer required.
  All the changes will be done at one place i.e. schemeInfo array.
  In future we can append to the array, when we want to add new cipher
  modes.
- Add Requires= and After= directives in libvirtd service. Remove
  unnecessary configuration settings from src/secret meson.build.
- Other minor refactoring and header include fix.

Arun Menon (5):
  util: Add support for GnuTLS decryption
  secret: Set up default encryption secret key for the virtsecretd
    service
  secret: Add secret.conf configuration file and parse it
  secret: Rename virSecretObj structure attribute from base64File to
    secretValueFile
  secret: Add functionality to load and save secrets in encrypted format

 include/libvirt/virterror.h                   |   1 +
 libvirt.spec.in                               |   7 +
 po/POTFILES                                   |   1 +
 src/conf/virsecretobj.c                       | 183 ++++++++++++++----
 src/conf/virsecretobj.h                       |  18 +-
 src/libvirt_private.syms                      |   1 +
 src/meson.build                               |   1 +
 src/remote/libvirtd.service.in                |   4 +
 src/secret/libvirt_secrets.aug                |  40 ++++
 src/secret/meson.build                        |  31 +++
 src/secret/secret.conf.in                     |  14 ++
 src/secret/secret_config.c                    | 179 +++++++++++++++++
 src/secret/secret_config.h                    |  40 ++++
 src/secret/secret_driver.c                    |  34 +++-
 src/secret/test_libvirt_secrets.aug.in        |   6 +
 .../virt-secret-init-encryption.service.in    |   8 +
 src/secret/virtsecretd.service.extra.in       |   8 +
 src/util/vircrypto.c                          | 126 +++++++++++-
 src/util/vircrypto.h                          |   8 +
 src/util/virerror.c                           |   3 +
 tests/vircryptotest.c                         |  65 +++++++
 21 files changed, 728 insertions(+), 50 deletions(-)
 create mode 100644 src/secret/libvirt_secrets.aug
 create mode 100644 src/secret/secret.conf.in
 create mode 100644 src/secret/secret_config.c
 create mode 100644 src/secret/secret_config.h
 create mode 100644 src/secret/test_libvirt_secrets.aug.in
 create mode 100644 src/secret/virt-secret-init-encryption.service.in

-- 
2.51.1
Re: [PATCH v2 0/5] cover: RFE libvirt secret encryption on disk
Posted by Daniel P. Berrangé via Devel 1 month ago 
On Tue, Dec 16, 2025 at 12:22:05PM +0530, Arun Menon via Devel wrote:
> Libvirt secrets are stored unencrypted on the disk.
> With this series we want to start encrypting the secrets.
> 
> 1. Introduce the GnuTLS decryption wrapper functions that
>    work exact opposite to the encryption wrappers.
> 
> 2. Add a new service called virt-secrets-init-encryption, that is
>    linked to the virtsecretd and libvirtd service.
>    virtsecretd and libvirtd services only starts
>    after the new service generates a random encryption key.
> 
> 3. Add a new secret.conf configuration file that helps user to set
>    a. secrets_encryption_key - allows the user to specify the encryption
>       key file path, in case the default key is not to be used.
>    b. encrypt_data - set to 0 or 1. If set to 1, then the newly
>       added secrets will be encrypted.
> 
> 4. Rename the file name attribute in virSecretObj structure to secretValueFile.
> 
> 5. Once we have the encryption key, and a reliable way to tell the daemon
>    what encryption scheme the secret object is using, we can encrypt the
>    secrets on disk and store them in <uuid>.<encryption_scheme> format.
>    It is important to note that if the encryption key is changed between
>    restarts, then the respective secret will not be loaded by the driver.
> 
> This is a sincere attempt to improve upon the already submitted patch
> https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/KE6GVZQ45JTYFTE54CT7DMONSO2W3ZPV/
> 
> Resolves: https://issues.redhat.com/browse/RHEL-7125

After building this series, I attempt  'systemctl start virtsecret'
which failed because /var/lib/libvirt/secrets/ did not exist.

We need a suitable meson rule to create that directory, and it must
also be added to the RPM spec.

With that fixed locally, I can see that it correctly auto-creates the
systemd credential and encrypts new secrets

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
Re: [PATCH v2 0/5] cover: RFE libvirt secret encryption on disk
Posted by Arun Menon via Devel 1 month ago 
Hi Daniel,

On Mon, Jan 05, 2026 at 05:44:24PM +0000, Daniel P. Berrangé wrote:
> On Tue, Dec 16, 2025 at 12:22:05PM +0530, Arun Menon via Devel wrote:
> > Libvirt secrets are stored unencrypted on the disk.
> > With this series we want to start encrypting the secrets.
> > 
> > 1. Introduce the GnuTLS decryption wrapper functions that
> >    work exact opposite to the encryption wrappers.
> > 
> > 2. Add a new service called virt-secrets-init-encryption, that is
> >    linked to the virtsecretd and libvirtd service.
> >    virtsecretd and libvirtd services only starts
> >    after the new service generates a random encryption key.
> > 
> > 3. Add a new secret.conf configuration file that helps user to set
> >    a. secrets_encryption_key - allows the user to specify the encryption
> >       key file path, in case the default key is not to be used.
> >    b. encrypt_data - set to 0 or 1. If set to 1, then the newly
> >       added secrets will be encrypted.
> > 
> > 4. Rename the file name attribute in virSecretObj structure to secretValueFile.
> > 
> > 5. Once we have the encryption key, and a reliable way to tell the daemon
> >    what encryption scheme the secret object is using, we can encrypt the
> >    secrets on disk and store them in <uuid>.<encryption_scheme> format.
> >    It is important to note that if the encryption key is changed between
> >    restarts, then the respective secret will not be loaded by the driver.
> > 
> > This is a sincere attempt to improve upon the already submitted patch
> > https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/KE6GVZQ45JTYFTE54CT7DMONSO2W3ZPV/
> > 
> > Resolves: https://issues.redhat.com/browse/RHEL-7125
> 
> After building this series, I attempt  'systemctl start virtsecret'
> which failed because /var/lib/libvirt/secrets/ did not exist.
> 
> We need a suitable meson rule to create that directory, and it must
> also be added to the RPM spec.
> 
> With that fixed locally, I can see that it correctly auto-creates the
> systemd credential and encrypts new secrets

Thank you. I might have created that directory manually and forgot to delete it
before testing. I shall amend.

> 
> With regards,
> Daniel
> -- 
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
> 

Regards,
Arun
Re: [PATCH v2 0/5] cover: RFE libvirt secret encryption on disk
Posted by Daniel P. Berrangé via Devel 1 month ago 
On Tue, Dec 16, 2025 at 12:22:05PM +0530, Arun Menon via Devel wrote:

Snip

>  include/libvirt/virterror.h                   |   1 +
>  libvirt.spec.in                               |   7 +
>  po/POTFILES                                   |   1 +
>  src/conf/virsecretobj.c                       | 183 ++++++++++++++----
>  src/conf/virsecretobj.h                       |  18 +-
>  src/libvirt_private.syms                      |   1 +
>  src/meson.build                               |   1 +
>  src/remote/libvirtd.service.in                |   4 +
>  src/secret/libvirt_secrets.aug                |  40 ++++
>  src/secret/meson.build                        |  31 +++
>  src/secret/secret.conf.in                     |  14 ++
>  src/secret/secret_config.c                    | 179 +++++++++++++++++
>  src/secret/secret_config.h                    |  40 ++++
>  src/secret/secret_driver.c                    |  34 +++-
>  src/secret/test_libvirt_secrets.aug.in        |   6 +
>  .../virt-secret-init-encryption.service.in    |   8 +
>  src/secret/virtsecretd.service.extra.in       |   8 +
>  src/util/vircrypto.c                          | 126 +++++++++++-
>  src/util/vircrypto.h                          |   8 +
>  src/util/virerror.c                           |   3 +
>  tests/vircryptotest.c                         |  65 +++++++

Aside from the code changes, I think we probably ought to have a
page added to the docs/ to explain that:

 * Out of the box, secrets are sealed using systemd credentials
 * This ties the encrypted secret files to the specific host
 * How to disable use of systemd creds entirely if desired
 * How to configure encryption key on non-systemd host if desired
 * How to create /var/lib/libvirt/secrets/secrets-encryption-key
   manually using systemd-creds, in case you want to pass extra
   args to 'systemd-creds encrypt'. eg to customize whether to
   use the TPM, and/or which PCRs

>  21 files changed, 728 insertions(+), 50 deletions(-)
>  create mode 100644 src/secret/libvirt_secrets.aug
>  create mode 100644 src/secret/secret.conf.in
>  create mode 100644 src/secret/secret_config.c
>  create mode 100644 src/secret/secret_config.h
>  create mode 100644 src/secret/test_libvirt_secrets.aug.in
>  create mode 100644 src/secret/virt-secret-init-encryption.service.in
> 
> -- 
> 2.51.1
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.