On Fri, Jan 09, 2026 at 23:39:32 +0530, Arun Menon via Devel wrote: > This commit sets the foundation for encrypting the libvirt secrets by > providing a > secure way to pass a secret encryption key to the virtsecretd service. > > A random secret key is generated using the new virt-secret-init-encryption > service. This key can be consumed by the virtsecretd service. > > By using the "Before=" directive in the new virt-secret-init-encryption > service and using "Requires=" directive in the virtsecretd service, > we make sure that the daemon is run only after we have an encrypted > secret key file generated and placed in /var/lib/libvirt/secrets. > The virtsecretd service can then read the key from CREDENTIALS_DIRECTORY. [1] > > This setup therefore provides a default key out-of-the-box for initial use. > A subsequent commit will introduce the logic for virtsecretd > to access and use this key via the $CREDENTIALS_DIRECTORY environment > variable. [2] > > [1] https://www.freedesktop.org/software/systemd/man/latest/systemd-creds.html > [2] https://systemd.io/CREDENTIALS/ > > Signed-off-by: Arun Menon <[email protected]> > --- > libvirt.spec.in | 5 +++++ > src/meson.build | 1 + > src/remote/libvirtd.service.in | 4 ++++ > src/secret/meson.build | 13 +++++++++++++ > src/secret/virt-secret-init-encryption.service.in | 8 ++++++++ > src/secret/virtsecretd.service.extra.in | 8 ++++++++ > 6 files changed, 39 insertions(+) > create mode 100644 src/secret/virt-secret-init-encryption.service.in
[...] > diff --git a/src/secret/virt-secret-init-encryption.service.in > b/src/secret/virt-secret-init-encryption.service.in > new file mode 100644 > index 0000000000..44940bd72b > --- /dev/null > +++ b/src/secret/virt-secret-init-encryption.service.in > @@ -0,0 +1,8 @@ > +[Unit] > +Before=virtsecretd.service > +Before=libvirtd.service > +ConditionPathExists=!@localstatedir@/lib/libvirt/secrets/secrets-encryption-key > + > +[Service] > +Type=oneshot > +ExecStart=/usr/bin/sh -c 'umask 0066 && (dd if=/dev/urandom status=none > bs=32 count=1 | systemd-creds encrypt --name=secrets-encryption-key - > @localstatedir@/lib/libvirt/secrets/secrets-encryption-key)' While dealing with the fix in a379327d8abcde8ac8d3e16fe5e4ba6f790d767a I've discovered that 0077 is the more common setting in such case. Not that it'd really change anything here. (If it turns out there'll be only minor changes needed I'll do this change before pushing. This applies to any other comment I'll have). Reviewed-by: Peter Krempa <[email protected]>
