On Fri, Jan 09, 2026 at 11:39:30PM +0530, Arun Menon wrote: > Libvirt secrets are stored unencrypted on the disk. > With this series we want to start encrypting the secrets. > > 1. Introduce the GnuTLS decryption wrapper functions that > work exact opposite to the encryption wrappers. > > 2. Add a new service called virt-secrets-init-encryption, that is > linked to the virtsecretd service. virtsecretd service only starts > after the new service generates a random encryption key. > > 3. Add a new secrets.conf configuration file that helps user to set > a. secrets_encryption_key - allows the user to specify the encryption > key file path, in case the default key is not to be used. > b. encrypt_data - set to 0 or 1. If set to 1, then the newly > added secrets will be encrypted. > > 4. Add encryption scheme or cipher attribute that will allow us to > choose the last used cipher. > > 5. Once we have the encryption key, and a reliable way to tell the daemon > what encryption scheme the secret object is using, we can encrypt the > secrets on disk and store them in <uuid>.<encryption_scheme> format. > It is important to note that if the encryption key is changed between > restarts, then the respective secret will not be loaded by the driver. > > 6. Add documentation. > > This is a sincere attempt to improve upon the already submitted patch > https://lists.libvirt.org/archives/list/[email protected]/thread/KE6GVZQ45JTYFTE54CT7DMONSO2W3ZPV/ > > Resolves: https://issues.redhat.com/browse/RHEL-7125 > > --- > > Changes in v3: v4 > - Fix the regression of loading unencrypted secrets after an upgrade. > Previously the .base64 unencrypted secrets were not being loaded. > - Add documentation on encrypted secrets. > > Changes in v3: > - Secrets xml configuration no longer stores the encryption scheme, therefore > not allowing the user to toggle between ciphers. > - Removed unnecessary socket files of the new service. It now has a general > configuration with which it starts. > - Addressed review comments from Peter on coding style and design. > - Loading of secrets is dependent on the file extension. Most recent cipher is > used while saving the secrets. > > Changes in v2: > - Corrected the encryption key length check. It should be 32. > - Added a new patch that introduces the encryption scheme attribute. > This will help us identify which secrets are encrypted. > - A new systemd unit service file added that starts before virtsecretd, > helping > us to construct a random encryption key and pass it to the virtsecretd > service. > - Parsing logic of secrets.conf moved to a separate file. > - Spec file changes, augeas. > > Arun Menon (6): > util: Add support for GnuTLS decryption > secret: Set up default encryption secret key for the virtsecretd > service > secret: Add secret.conf configuration file and parse it > secret: Rename virSecretObj structure attribute from base64File to > secretValueFile > secret: Add functionality to load and save secrets in encrypted format > docs: secret: Add documentation of secret encryption feature > > docs/drvsecret.rst | 4 + > docs/meson.build | 1 + > docs/secretencryption.rst | 86 ++++++++ > include/libvirt/virterror.h | 1 + > libvirt.spec.in | 8 + > po/POTFILES | 1 + > src/conf/virsecretobj.c | 193 ++++++++++++++---- > src/conf/virsecretobj.h | 18 +- > src/libvirt_private.syms | 1 + > src/meson.build | 1 + > src/remote/libvirtd.service.in | 4 + > src/secret/libvirt_secrets.aug | 40 ++++ > src/secret/meson.build | 32 +++ > src/secret/secret.conf.in | 14 ++ > src/secret/secret_config.c | 179 ++++++++++++++++ > src/secret/secret_config.h | 40 ++++ > src/secret/secret_driver.c | 34 ++- > src/secret/test_libvirt_secrets.aug.in | 6 + > .../virt-secret-init-encryption.service.in | 8 + > src/secret/virtsecretd.service.extra.in | 8 + > src/util/vircrypto.c | 126 +++++++++++- > src/util/vircrypto.h | 8 + > src/util/virerror.c | 3 + > tests/vircryptotest.c | 65 ++++++ > 24 files changed, 831 insertions(+), 50 deletions(-) > create mode 100644 docs/secretencryption.rst > create mode 100644 src/secret/libvirt_secrets.aug > create mode 100644 src/secret/secret.conf.in > create mode 100644 src/secret/secret_config.c > create mode 100644 src/secret/secret_config.h > create mode 100644 src/secret/test_libvirt_secrets.aug.in > create mode 100644 src/secret/virt-secret-init-encryption.service.in > > -- > 2.51.1 >
Hello, A gentle ping on this series. Any further suggestion is appreciated. Regards, Arun Menon
