From: Jim Fehlig <jfehlig@suse.com>

Switch to using systemd's native UMask= directive, instead of using
umask directly in ExecStart=.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
 src/secret/virt-secret-init-encryption.service.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/secret/virt-secret-init-encryption.service.in b/src/secret/virt-secret-init-encryption.service.in
index 8fd54002a0..5cf4149188 100644
--- a/src/secret/virt-secret-init-encryption.service.in
+++ b/src/secret/virt-secret-init-encryption.service.in
@@ -5,4 +5,5 @@ ConditionPathExists=!@localstatedir@/lib/libvirt/secrets/secrets-encryption-key
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/sh -c 'umask 0077 && (dd if=/dev/random status=none bs=32 count=1 | systemd-creds encrypt --name=secrets-encryption-key - @localstatedir@/lib/libvirt/secrets/secrets-encryption-key)'
+UMask=0077
+ExecStart=/usr/bin/sh -c 'dd if=/dev/random status=none bs=32 count=1 | systemd-creds encrypt --name=secrets-encryption-key - @localstatedir@/lib/libvirt/secrets/secrets-encryption-key'
-- 
2.51.0

On Thu, Apr 16, 2026 at 03:57:54PM -0600, Jim Fehlig via Devel wrote:
> From: Jim Fehlig <jfehlig@suse.com>
> 
> Switch to using systemd's native UMask= directive, instead of using
> umask directly in ExecStart=.
> 
> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> ---
>  src/secret/virt-secret-init-encryption.service.in | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|