From nobody Wed Feb 11 01:26:10 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1770711944; cv=none;
	d=zohomail.com; s=zohoarc;
	b=loiAULxj4NKNkdC9ssYdq3eNgcL8JqoRnpzpboNkZFswXCAGcQHoR7EZM2eRn5GXGGnB4xa43WRCjX90uIJcpJBIXahRR8Sbb60oMfvN2K0BaSxSBNR/SSlg9KsrPj5hRQ09hQFss9iBkbc/yxvSlDvOuQKhLWdzueB5t01IXl4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1770711944;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id;
	bh=EHnE4K6DbnPsop/MmOxy3C/dHhWvHC7Sk0o+Z1R3ji8=;
	b=T4b9E9MhPCTGGLFn4UB8KJLJXrEheQkLkYVBGQUJ/84sk2INZdqCNy2uevEA911kZXQFp/fPV1ddSDlOEOZx2VAtgkw9xoYzo6MLRl10b87PZhMYrqy8QzeNLwSqSQ8GaZPW8cnMZUitU8IfU8Tw+x1fjYvll6m3rXMAFkOi2nU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 177071194414398.59977185366836;
 Tue, 10 Feb 2026 00:25:44 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 4248843F71; Tue, 10 Feb 2026 03:25:43 -0500 (EST)
Received: from [172.19.199.6] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 0C1F044194;
	Tue, 10 Feb 2026 03:21:33 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 1A4323F357; Tue, 10 Feb 2026 03:00:32 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 57A0E3F287
	for <devel@lists.libvirt.org>; Tue, 10 Feb 2026 03:00:31 -0500 (EST)
Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com
 [209.85.214.198]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-645-tlcNtgC7OXGA5IEM7NN8rw-1; Tue, 10 Feb 2026 03:00:29 -0500
Received: by mail-pl1-f198.google.com with SMTP id
 d9443c01a7336-2a94369653aso55884735ad.1
        for <devel@lists.libvirt.org>; Tue, 10 Feb 2026 00:00:29 -0800 (PST)
Received: from armenon-kvm.armenon-thinkpadp16vgen1.bengluru.csb
 ([49.36.106.198])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2aadc397d8dsm98273835ad.1.2026.02.10.00.00.26
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 10 Feb 2026 00:00:27 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1770710431;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=EHnE4K6DbnPsop/MmOxy3C/dHhWvHC7Sk0o+Z1R3ji8=;
	b=KwLIEj6grzhNKzSD0Z19OJL+6mCLsbfjDso4cs8P0kIqU5035dCoWG0lHfebs0xUkk3m/F
	JQDQrvWd2XwD/kn8pg4NF39BKEbubhGmiAYK7kfOhgvHPrSi24Qy7gbXW/2DCRHExClhZD
	B8/D7Eg26PxklxGuzSD8zpfJqyHzqUI=
X-MC-Unique: tlcNtgC7OXGA5IEM7NN8rw-1
X-Mimecast-MFC-AGG-ID: tlcNtgC7OXGA5IEM7NN8rw_1770710428
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770710428; x=1771315228;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=EHnE4K6DbnPsop/MmOxy3C/dHhWvHC7Sk0o+Z1R3ji8=;
        b=J/n+HCHzFHAPBobOjxp17oEUArK/+yEoAjE2wu7I5BceJdr8JpboROlJxNRwGXdF20
         jP9poglQn+cDrMh+oxYMxDo8lyEwL01XizVsd5FDU/YfhSWdfFayNuzUD7mURiv1i0Eq
         Rq8MTVq2I5qSuWh7CMxUyc9iqAUkDGemU0e4VpkL/qrKvBWh+xGtH+xbyY0pU7vf3iiE
         IZeH7NtGMAn6OWDvarZ2kkjtKcG6EK8xSM0cLn0L6PbcKIpEkCLBE9KUxIWVl+Yiov+e
         hHiSmpzY2lyc3lMmHAnQs35U/+oDPuduyFZRWvX2A0mLoApBufqDNIo0FmJ3MfLwe2hZ
         VOhA==
X-Gm-Message-State: AOJu0YzFp2YJAadeIkFV2G3ELVhbuwENvm+JXjQBjePx5ptF3rNobqf5
	Jlf4e8VXdYgd9ogjmXMydkU3xVfpZ3Ct3bNqayCUsn5WEGLEGB93UoYFt3krniUezuflQBgo+r4
	53EtmHZ0Zc99QCfPL59T/jq90MBTowRMSTTmoYSvNgYGcWPawG6S9RgQ0p6/vi3U2Y/dta0zCUB
	ssrw/zF00JmABM6RBkCChOhlZxA7FrHh9ekvm3jC42bg==
X-Gm-Gg: AZuq6aJzATtq2NMU3/KCQ7s1PHIDVLWFdVed2HicQT4Yk7qJTNitG1Etwt2OXIJ8/Fq
	l1ACktDAl981U0Phg8iOL57KGpXllNHixLEwiDyw7B8WXrhAzQ6yfdhvXt8pOPPBZZY3mjBN+W0
	55NcUN8rrgy4gvPut929r0otHdIWdFXqq4Z17CMqUfTrNWLqdv6uwNVQ9nzU7esEBZXHdglIjW6
	pq83kmtZxZjaA6FMbLMwIsmg7+rcVMTIGdl5v6PP+TDlfTCIYJ1a7K4pJfyRc4Sir8jo95osQIF
	aFDrzJhmH0iIxbYCn6XoQdHr4Ng4AB1CCWc0K1fyoA9BVYroN+gDxGObB2I5NyTWwnQQXZuoKMJ
	4JeN/b9Gc0wbns42Hnf8Bo4LOcEg5FQW8iasrqI6WK9MPMXXezAyN7tYo0uQB481gLh4g4g==
X-Received: by 2002:a17:903:11d0:b0:2a7:a3b3:3225 with SMTP id
 d9443c01a7336-2a95225ad92mr142313525ad.53.1770710427976;
        Tue, 10 Feb 2026 00:00:27 -0800 (PST)
X-Received: by 2002:a17:903:11d0:b0:2a7:a3b3:3225 with SMTP id
 d9443c01a7336-2a95225ad92mr142313105ad.53.1770710427447;
        Tue, 10 Feb 2026 00:00:27 -0800 (PST)
To: devel@lists.libvirt.org
Subject: [PATCH v5 6/6] docs: secret: Add documentation of secret encryption
 feature
Date: Tue, 10 Feb 2026 13:30:12 +0530
Message-ID: <20260210080012.17753-7-armenon@redhat.com>
X-Mailer: git-send-email 2.51.1
In-Reply-To: <20260210080012.17753-1-armenon@redhat.com>
References: <20260210080012.17753-1-armenon@redhat.com>
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: cgH12WSx5rG-a7wUHmy99MAaFI_3y6WwhM8OMfBjl3E_1770710428
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: KWZ7C4EJ4Z2MQ2YVLTQVO33TVECHIW6T
X-Message-ID-Hash: KWZ7C4EJ4Z2MQ2YVLTQVO33TVECHIW6T
X-MailFrom: armenon@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
CC: Arun Menon <armenon@redhat.com>
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/KWZ7C4EJ4Z2MQ2YVLTQVO33TVECHIW6T/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Arun Menon via Devel <devel@lists.libvirt.org>
Reply-To: Arun Menon <armenon@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1770711951169158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

Document the new encryption of secrets feature in secretencryption.rst.

Signed-off-by: Arun Menon <armenon@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
---
 docs/drvsecret.rst        |   4 ++
 docs/meson.build          |   1 +
 docs/secretencryption.rst | 105 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 110 insertions(+)
 create mode 100644 docs/secretencryption.rst

diff --git a/docs/drvsecret.rst b/docs/drvsecret.rst
index 76a9097d2b..234551d5ae 100644
--- a/docs/drvsecret.rst
+++ b/docs/drvsecret.rst
@@ -63,3 +63,7 @@ the traditional system or session libvirt connections to =
QEMU. Normal practice
 would be to open the secret driver in embedded mode any time one of the ot=
her
 drivers is opened in embedded mode so that the two drivers can interact
 in-process.
+
+Further reading
+----------------------------
+- `Secret Encryption <secretencryption.html>`__
diff --git a/docs/meson.build b/docs/meson.build
index 21e0b19c25..0e74f9c4bf 100644
--- a/docs/meson.build
+++ b/docs/meson.build
@@ -97,6 +97,7 @@ docs_rst_files =3D [
   'programming-languages',
   'python',
   'remote',
+  'secretencryption',
   'securityprocess',
   'ssh-proxy',
   'storage',
diff --git a/docs/secretencryption.rst b/docs/secretencryption.rst
new file mode 100644
index 0000000000..4908339f2d
--- /dev/null
+++ b/docs/secretencryption.rst
@@ -0,0 +1,105 @@
+.. role:: since
+
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
+Secret storage and encryption
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
+
+.. contents::
+
+The secret objects can either be ephemeral or persistent.
+Ephemeral secrets are only kept in memory, never stored persistently on th=
e disk.
+See `Secrets <formatsecret.html>`__
+
+:since:`Since 12.1.0` if a secret is defined as persistent, then it is sto=
red **encrypted** on the disk.
+
+
+Systemd Credentials Sealing
+---------------------------
+
+Out of the box, secrets are sealed using systemd credentials. This ties the
+encrypted secret files to the specific host.
+
+The `virt-secret-init-encryption` service automatically generates a random
+32-byte key and encrypts it using `systemd-creds`, storing the result in
+`/var/lib/libvirt/secrets/secrets-encryption-key`. The `virtsecretd` servi=
ce
+then automatically loads this key securely via the systemd `LoadCredential=
Encrypted`
+mechanism.
+
+Disabling Systemd Credentials
+-----------------------------
+
+You can control encryption behavior by editing the `secret.conf` configura=
tion
+file located in ``@SYSCONFDIR@/libvirt/secret.conf`` or ``$XDG_CONFIG_HOME=
/libvirt/secret.conf``
+depending on how the daemon was started (system mode or session mode respe=
ctively).
+
+To **disable encryption entirely** (which effectively disables the use of =
any
+systemd credentials for this purpose):
+
+::
+
+   encrypt_data =3D 0
+
+Setting ``encrypt_data =3D 0`` takes precedence over any available systemd
+credentials. If you have existing encrypted secrets, this setting will pre=
vent
+the secret driver from loading the encryption key, making those secrets
+inaccessible. New or updated secrets will be stored in plain base64 format.
+
+To **use a custom encryption key** instead of the systemd credential.
+Defining a custom key path takes precedence over the systemd credential
+
+::
+
+   secrets_encryption_key =3D "/path/to/custom/key"
+
+Configuring Encryption on Non-Systemd Hosts
+-------------------------------------------
+
+On hosts without systemd, or if you prefer to manage the key manually, you=
 can
+create a raw encryption key and configure libvirt to use it.
+
+Generate a random 32-byte key:
+
+::
+
+   dd if=3D/dev/random of=3D/path/to/key/file bs=3D32 count=3D1
+
+Update `secret.conf` to point to this key:
+
+::
+
+   secrets_encryption_key =3D "/path/to/key/file"
+
+Manual Systemd Credential Creation
+----------------------------------
+
+If you want to use systemd credentials but need to customize the encryptio=
n parameters
+(for example, to specify which TPM PCRs to bind to), you can generate the
+credential file manually.
+
+To create the default `/var/lib/libvirt/secrets/secrets-encryption-key` ma=
nually
+using `systemd-creds` (adjusting arguments to `systemd-creds encrypt` as n=
eeded):
+
+::
+
+   dd if=3D/dev/random bs=3D32 count=3D1 | \
+   systemd-creds encrypt --name=3Dsecrets-encryption-key - \
+   /var/lib/libvirt/secrets/secrets-encryption-key
+
+You can pass extra arguments to `systemd-creds encrypt <https://www.freede=
sktop.org/software/systemd/man/latest/systemd-creds.html?#encrypt%20input%7=
C-%20output%7C->`__,
+such as ``--tpm2-device=3D...`` or ``--tpm2-pcrs=3D...``, to customize the=
 sealing policy.
+
+Upgrading Libvirt for secret encryption
+---------------------------------------
+Starting 12.1.0, secrets can be stored on the disk in an encrypted format,=
 rather than
+the default base64 encoding.
+
+Any secret created before upgrading libvirt, remain stored in their origin=
al base64
+format on the disk.
+A pre-existing secret will only be encrypted if you explicitly update its =
value using
+**virsh secret-set-value** after the upgrade, provided that encryption is =
enabled in
+secret.conf configuration file.
+
+It is important to note that encrypted secrets are not backwards compatibl=
e. In case of
+a downgrade to an older version of libvirt, the encrypted secrets will not=
 be loaded from
+the disk. Therefore, before reverting to an older version libvirt, make su=
re that all the
+secrets have been reverted to the standard base64 format, to avoid service=
 disruptions.
--=20
2.51.1