This commit sets the foundation for encrypting the libvirt secrets by providing a secure way to pass a master encryption key to the virtsecretd service.
Add a default, pre-generated, master encryption key to the credentials, that can be consumed by the virtsecretd service. By using the "SetCredentialEncrypted=" directive, we make sure that passing data to the service is secure. The virtsecretd service can then read the key from CREDENTIALS_DIRECTORY. [1] This setup therefore provides a default key out-of-the-box for initial use. Users can customize this setting, by replacing the default encrypted string with their own. A subsequent commit will introduce the logic for virtsecretd to access and use this key via the $CREDENTIALS_DIRECTORY environment variable. [2] In order to add the default encryption key, a random 32 byte key was generated and encrypted: dd if=/dev/urandom of=/tmp/master.key bs=1 count=32 systemd-creds encrypt --name=master-encryption-key -p /tmp/master.key - This generates a SetCredentialEncrypted= line suitable for inclusion in the unit file. [1] https://www.freedesktop.org/software/systemd/man/latest/systemd-creds.html [2] https://systemd.io/CREDENTIALS/ Signed-off-by: Arun Menon <[email protected]> --- src/secret/virtsecretd.service.extra.in | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/secret/virtsecretd.service.extra.in b/src/secret/virtsecretd.service.extra.in index 1fc8c672f7..0f65bc3bb1 100644 --- a/src/secret/virtsecretd.service.extra.in +++ b/src/secret/virtsecretd.service.extra.in @@ -1,2 +1,10 @@ # The contents of this unit will be merged into a base template. # Additional units might be merged as well. See meson.build for details. +# +[Service] +Environment=MASTER_ENCRYPTION_KEY=%d/master-encryption-key +SetCredentialEncrypted=master-encryption-key: \ + Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAD9m5CsEfoZf8Lj/dQAAAAAFSvJ7 \ + eSEmqQthu+A4Eqn4vEKp6jx7ScbcM98bcW5Do0K9V0eTPWD+eNJJrB+xS/MAklo3rkf0S \ + 7n7rXk8SQZ0FQ5Uv8ZoOuidWPHHiLZGS9bxAJwTZvN/VX+pe+biC16 +LoadCredentialEncrypted=master-encryption-key -- 2.51.1
