Re: [PATCH v2 0/5] cover: RFE libvirt secret encryption on disk

Mon, 05 Jan 2026 09:55:21 -0800 

On Tue, Dec 16, 2025 at 12:22:05PM +0530, Arun Menon via Devel wrote:

Snip

>  include/libvirt/virterror.h                   |   1 +
>  libvirt.spec.in                               |   7 +
>  po/POTFILES                                   |   1 +
>  src/conf/virsecretobj.c                       | 183 ++++++++++++++----
>  src/conf/virsecretobj.h                       |  18 +-
>  src/libvirt_private.syms                      |   1 +
>  src/meson.build                               |   1 +
>  src/remote/libvirtd.service.in                |   4 +
>  src/secret/libvirt_secrets.aug                |  40 ++++
>  src/secret/meson.build                        |  31 +++
>  src/secret/secret.conf.in                     |  14 ++
>  src/secret/secret_config.c                    | 179 +++++++++++++++++
>  src/secret/secret_config.h                    |  40 ++++
>  src/secret/secret_driver.c                    |  34 +++-
>  src/secret/test_libvirt_secrets.aug.in        |   6 +
>  .../virt-secret-init-encryption.service.in    |   8 +
>  src/secret/virtsecretd.service.extra.in       |   8 +
>  src/util/vircrypto.c                          | 126 +++++++++++-
>  src/util/vircrypto.h                          |   8 +
>  src/util/virerror.c                           |   3 +
>  tests/vircryptotest.c                         |  65 +++++++

Aside from the code changes, I think we probably ought to have a
page added to the docs/ to explain that:

 * Out of the box, secrets are sealed using systemd credentials
 * This ties the encrypted secret files to the specific host
 * How to disable use of systemd creds entirely if desired
 * How to configure encryption key on non-systemd host if desired
 * How to create /var/lib/libvirt/secrets/secrets-encryption-key
   manually using systemd-creds, in case you want to pass extra
   args to 'systemd-creds encrypt'. eg to customize whether to
   use the TPM, and/or which PCRs

>  21 files changed, 728 insertions(+), 50 deletions(-)
>  create mode 100644 src/secret/libvirt_secrets.aug
>  create mode 100644 src/secret/secret.conf.in
>  create mode 100644 src/secret/secret_config.c
>  create mode 100644 src/secret/secret_config.h
>  create mode 100644 src/secret/test_libvirt_secrets.aug.in
>  create mode 100644 src/secret/virt-secret-init-encryption.service.in
> 
> -- 
> 2.51.1
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Reply via email to