On Thu, Nov 13, 2025 at 02:57:13PM +0100, Peter Krempa via Devel wrote: > On Thu, Nov 13, 2025 at 19:02:22 +0530, Arun Menon via Devel wrote: > > A new configuration file called secrets.conf is introduced to > > let the user configure the path to the master encryption key. > > This key will be used to encrypt/decrypt the secrets in libvirt. > > > > By default the path is set to the runtime directory > > /run/libvirt/secrets, and it is commented in the config file. > > The virtsecretd driver checks if the credentials are available > > in the CREDENTIALS_DIRECTORY. In case it is not present, then the > > user is expected to provide the encryption key path in secrets.conf > > Is there any plan to be able to pass the secret do the secrets > driver/daemon in an ephemeral way? > > Because both the systemd secrets and the config file seem to just store > it on the same host. Thus for root-owned files it's just a slightly > bigger hurdle rather than any real security.
IIUC in the systemd case, the credentials on disk are only visible in mount namespace given to the service. I've not checked, but I would imagine the dir is backed with tmpfs. IOW, the plain text secret should be inaccessible to anything else on the host, unless they have fully privileged root account access needed to join the mount namespace. The service can delete the creds file from this mount location when it has been loaded, so the window of availability is only the startup sequence. None the less any app can access /proc/$PID/mem and fetch the secrets from memory, if they have full root privileges no matter how we pass the secret across to virtsecretd. An alternative in the non-systemd case would be to pass the creds in via a FIFO, so it is read-once and not actually on even a temporary disk mount. > > diff --git a/src/secret/secrets.conf.in b/src/secret/secrets.conf.in > > new file mode 100644 > > index 0000000000..80bb9654ce > > --- /dev/null > > +++ b/src/secret/secrets.conf.in > > @@ -0,0 +1,14 @@ > > +# > > +# Master configuration file for the secrets driver. > > +# > > + > > +# The master encryption key is used to override default master encryption > > +# key path. The user can create an encryption key and set the > > master_encryption_key > > +# to the path on which it resides. > > +# The key must be atleast 32-bytes long. > > +# > > +# master_encryption_key = "/run/libvirt/secrets/master.key" > > +# > > +# The encrypt_data setting is used to indicate if the encryption is on or > > off. > > +# 0 indicates off and 1 indicates on. By default it is set to on. > > +encrypt_data = 1 > > As the default secret seems to be handed in via systemd, which will it > make available to any upgraded installation, I don't think you can > unconditionally enable this option as it would break existing > un-encrypted secrets. > With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
