Libvirt secrets are stored unencrypted on the disk.
With this series we want to start encrypting the secrets.

1. Introduce the GnuTLS decryption wrapper functions that
   work exact opposite to the encryption wrappers.

2. Add a new service called virt-secrets-init-encryption, that is
   linked to the virtsecretd service. virtsecretd service only starts
   after the new service generates a random encryption key.

3. Add a new secrets.conf configuration file that helps user to set
   a. secrets_encryption_key - allows the user to specify the encryption
      key file path, in case the default key is not to be used.
   b. encrypt_data - set to 0 or 1. If set to 1, then the newly
      added secrets will be encrypted.

4. Add encryption scheme or cipher attribute that will allow us to
   choose the last used cipher.

5. Once we have the encryption key, and a reliable way to tell the daemon
   what encryption scheme the secret object is using, we can encrypt the
   secrets on disk and store them in <uuid>.<encryption_scheme> format.
   It is important to note that if the encryption key is changed between
   restarts, then the respective secret will not be loaded by the driver.

6. Add documentation.

This is a sincere attempt to improve upon the already submitted patch
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/KE6GVZQ45JTYFTE54CT7DMONSO2W3ZPV/

Resolves: https://issues.redhat.com/browse/RHEL-7125

---

Changes in v3:
- Fix the regression of loading unencrypted secrets after an upgrade.
  Previously the .base64 unencrypted secrets were not being loaded.
- Add documentation on encrypted secrets.

Changes in v3:
- Secrets xml configuration no longer stores the encryption scheme, therefore
  not allowing the user to toggle between ciphers.
- Removed unnecessary socket files of the new service. It now has a general
  configuration with which it starts.
- Addressed review comments from Peter on coding style and design.
- Loading of secrets is dependent on the file extension. Most recent cipher is
  used while saving the secrets.

Changes in v2:
- Corrected the encryption key length check. It should be 32.
- Added a new patch that introduces the encryption scheme attribute.
  This will help us identify which secrets are encrypted.
- A new systemd unit service file added that starts before virtsecretd, helping
  us to construct a random encryption key and pass it to the virtsecretd service.
- Parsing logic of secrets.conf moved to a separate file.
- Spec file changes, augeas.

Arun Menon (6):
  util: Add support for GnuTLS decryption
  secret: Set up default encryption secret key for the virtsecretd
    service
  secret: Add secret.conf configuration file and parse it
  secret: Rename virSecretObj structure attribute from base64File to
    secretValueFile
  secret: Add functionality to load and save secrets in encrypted format
  docs: secret: Add documentation of secret encryption feature

 docs/drvsecret.rst                            |   4 +
 docs/meson.build                              |   1 +
 docs/secretencryption.rst                     |  86 ++++++++
 include/libvirt/virterror.h                   |   1 +
 libvirt.spec.in                               |   8 +
 po/POTFILES                                   |   1 +
 src/conf/virsecretobj.c                       | 193 ++++++++++++++----
 src/conf/virsecretobj.h                       |  18 +-
 src/libvirt_private.syms                      |   1 +
 src/meson.build                               |   1 +
 src/remote/libvirtd.service.in                |   4 +
 src/secret/libvirt_secrets.aug                |  40 ++++
 src/secret/meson.build                        |  32 +++
 src/secret/secret.conf.in                     |  14 ++
 src/secret/secret_config.c                    | 179 ++++++++++++++++
 src/secret/secret_config.h                    |  40 ++++
 src/secret/secret_driver.c                    |  34 ++-
 src/secret/test_libvirt_secrets.aug.in        |   6 +
 .../virt-secret-init-encryption.service.in    |   8 +
 src/secret/virtsecretd.service.extra.in       |   8 +
 src/util/vircrypto.c                          | 126 +++++++++++-
 src/util/vircrypto.h                          |   8 +
 src/util/virerror.c                           |   3 +
 tests/vircryptotest.c                         |  65 ++++++
 24 files changed, 831 insertions(+), 50 deletions(-)
 create mode 100644 docs/secretencryption.rst
 create mode 100644 src/secret/libvirt_secrets.aug
 create mode 100644 src/secret/secret.conf.in
 create mode 100644 src/secret/secret_config.c
 create mode 100644 src/secret/secret_config.h
 create mode 100644 src/secret/test_libvirt_secrets.aug.in
 create mode 100644 src/secret/virt-secret-init-encryption.service.in

-- 
2.51.1

On Fri, Jan 09, 2026 at 11:39:30PM +0530, Arun Menon wrote:
> Libvirt secrets are stored unencrypted on the disk.
> With this series we want to start encrypting the secrets.
> 
> 1. Introduce the GnuTLS decryption wrapper functions that
>    work exact opposite to the encryption wrappers.
> 
> 2. Add a new service called virt-secrets-init-encryption, that is
>    linked to the virtsecretd service. virtsecretd service only starts
>    after the new service generates a random encryption key.
> 
> 3. Add a new secrets.conf configuration file that helps user to set
>    a. secrets_encryption_key - allows the user to specify the encryption
>       key file path, in case the default key is not to be used.
>    b. encrypt_data - set to 0 or 1. If set to 1, then the newly
>       added secrets will be encrypted.
> 
> 4. Add encryption scheme or cipher attribute that will allow us to
>    choose the last used cipher.
> 
> 5. Once we have the encryption key, and a reliable way to tell the daemon
>    what encryption scheme the secret object is using, we can encrypt the
>    secrets on disk and store them in <uuid>.<encryption_scheme> format.
>    It is important to note that if the encryption key is changed between
>    restarts, then the respective secret will not be loaded by the driver.
> 
> 6. Add documentation.
> 
> This is a sincere attempt to improve upon the already submitted patch
> https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/KE6GVZQ45JTYFTE54CT7DMONSO2W3ZPV/
> 
> Resolves: https://issues.redhat.com/browse/RHEL-7125
> 
> ---
> 
> Changes in v3:
v4
> - Fix the regression of loading unencrypted secrets after an upgrade.
>   Previously the .base64 unencrypted secrets were not being loaded.
> - Add documentation on encrypted secrets.
> 
> Changes in v3:
> - Secrets xml configuration no longer stores the encryption scheme, therefore
>   not allowing the user to toggle between ciphers.
> - Removed unnecessary socket files of the new service. It now has a general
>   configuration with which it starts.
> - Addressed review comments from Peter on coding style and design.
> - Loading of secrets is dependent on the file extension. Most recent cipher is
>   used while saving the secrets.
> 
> Changes in v2:
> - Corrected the encryption key length check. It should be 32.
> - Added a new patch that introduces the encryption scheme attribute.
>   This will help us identify which secrets are encrypted.
> - A new systemd unit service file added that starts before virtsecretd, helping
>   us to construct a random encryption key and pass it to the virtsecretd service.
> - Parsing logic of secrets.conf moved to a separate file.
> - Spec file changes, augeas.
> 
> Arun Menon (6):
>   util: Add support for GnuTLS decryption
>   secret: Set up default encryption secret key for the virtsecretd
>     service
>   secret: Add secret.conf configuration file and parse it
>   secret: Rename virSecretObj structure attribute from base64File to
>     secretValueFile
>   secret: Add functionality to load and save secrets in encrypted format
>   docs: secret: Add documentation of secret encryption feature
> 
>  docs/drvsecret.rst                            |   4 +
>  docs/meson.build                              |   1 +
>  docs/secretencryption.rst                     |  86 ++++++++
>  include/libvirt/virterror.h                   |   1 +
>  libvirt.spec.in                               |   8 +
>  po/POTFILES                                   |   1 +
>  src/conf/virsecretobj.c                       | 193 ++++++++++++++----
>  src/conf/virsecretobj.h                       |  18 +-
>  src/libvirt_private.syms                      |   1 +
>  src/meson.build                               |   1 +
>  src/remote/libvirtd.service.in                |   4 +
>  src/secret/libvirt_secrets.aug                |  40 ++++
>  src/secret/meson.build                        |  32 +++
>  src/secret/secret.conf.in                     |  14 ++
>  src/secret/secret_config.c                    | 179 ++++++++++++++++
>  src/secret/secret_config.h                    |  40 ++++
>  src/secret/secret_driver.c                    |  34 ++-
>  src/secret/test_libvirt_secrets.aug.in        |   6 +
>  .../virt-secret-init-encryption.service.in    |   8 +
>  src/secret/virtsecretd.service.extra.in       |   8 +
>  src/util/vircrypto.c                          | 126 +++++++++++-
>  src/util/vircrypto.h                          |   8 +
>  src/util/virerror.c                           |   3 +
>  tests/vircryptotest.c                         |  65 ++++++
>  24 files changed, 831 insertions(+), 50 deletions(-)
>  create mode 100644 docs/secretencryption.rst
>  create mode 100644 src/secret/libvirt_secrets.aug
>  create mode 100644 src/secret/secret.conf.in
>  create mode 100644 src/secret/secret_config.c
>  create mode 100644 src/secret/secret_config.h
>  create mode 100644 src/secret/test_libvirt_secrets.aug.in
>  create mode 100644 src/secret/virt-secret-init-encryption.service.in
> 
> -- 
> 2.51.1
> 

Hello,

A gentle ping on this series.
Any further suggestion is appreciated.


Regards,
Arun Menon