Hi Daniel, On Mon, Jan 05, 2026 at 05:44:24PM +0000, Daniel P. Berrangé wrote: > On Tue, Dec 16, 2025 at 12:22:05PM +0530, Arun Menon via Devel wrote: > > Libvirt secrets are stored unencrypted on the disk. > > With this series we want to start encrypting the secrets. > > > > 1. Introduce the GnuTLS decryption wrapper functions that > > work exact opposite to the encryption wrappers. > > > > 2. Add a new service called virt-secrets-init-encryption, that is > > linked to the virtsecretd and libvirtd service. > > virtsecretd and libvirtd services only starts > > after the new service generates a random encryption key. > > > > 3. Add a new secret.conf configuration file that helps user to set > > a. secrets_encryption_key - allows the user to specify the encryption > > key file path, in case the default key is not to be used. > > b. encrypt_data - set to 0 or 1. If set to 1, then the newly > > added secrets will be encrypted. > > > > 4. Rename the file name attribute in virSecretObj structure to > > secretValueFile. > > > > 5. Once we have the encryption key, and a reliable way to tell the daemon > > what encryption scheme the secret object is using, we can encrypt the > > secrets on disk and store them in <uuid>.<encryption_scheme> format. > > It is important to note that if the encryption key is changed between > > restarts, then the respective secret will not be loaded by the driver. > > > > This is a sincere attempt to improve upon the already submitted patch > > https://lists.libvirt.org/archives/list/[email protected]/thread/KE6GVZQ45JTYFTE54CT7DMONSO2W3ZPV/ > > > > Resolves: https://issues.redhat.com/browse/RHEL-7125 > > After building this series, I attempt 'systemctl start virtsecret' > which failed because /var/lib/libvirt/secrets/ did not exist. > > We need a suitable meson rule to create that directory, and it must > also be added to the RPM spec. > > With that fixed locally, I can see that it correctly auto-creates the > systemd credential and encrypts new secrets
Thank you. I might have created that directory manually and forgot to delete it before testing. I shall amend. > > With regards, > Daniel > -- > |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| > Regards, Arun
