Re: [PATCH v4 3/6] secret: Add secret.conf configuration file and parse it

Fri, 06 Feb 2026 05:19:30 -0800 

On Fri, Jan 09, 2026 at 23:39:33 +0530, Arun Menon via Devel wrote:
> A new configuration file called secret.conf is introduced to
> let the user configure the path to the secrets encryption key.
> This key will be used to encrypt/decrypt the secrets in libvirt.
> 
> By default the path is set to the runtime directory
> /run/libvirt/secrets, and it is commented in the config file.
> After parsing the file, the virtsecretd driver checks if an
> encryption key is present in the path and is valid.
> 
> If no encryption key is present in the path, then
> the service will by default use the encryption key stored in the
> CREDENTIALS_DIRECTORY.
> 
> Add logic to parse the encryption key file and store the key.
> It also checks for the encrypt_data attribute in the config file.
> The encryption and decryption logic will be added in the subsequent patches.
> 
> Signed-off-by: Arun Menon <[email protected]>
> ---
>  include/libvirt/virterror.h            |   1 +
>  libvirt.spec.in                        |   3 +
>  po/POTFILES                            |   1 +
>  src/secret/libvirt_secrets.aug         |  40 ++++++
>  src/secret/meson.build                 |  19 +++
>  src/secret/secret.conf.in              |  14 ++
>  src/secret/secret_config.c             | 179 +++++++++++++++++++++++++
>  src/secret/secret_config.h             |  40 ++++++
>  src/secret/secret_driver.c             |  11 ++
>  src/secret/test_libvirt_secrets.aug.in |   6 +
>  src/util/virerror.c                    |   3 +
>  11 files changed, 317 insertions(+)
>  create mode 100644 src/secret/libvirt_secrets.aug
>  create mode 100644 src/secret/secret.conf.in
>  create mode 100644 src/secret/secret_config.c
>  create mode 100644 src/secret/secret_config.h
>  create mode 100644 src/secret/test_libvirt_secrets.aug.in
> 
> diff --git a/include/libvirt/virterror.h b/include/libvirt/virterror.h
> index f02da046a3..fa07c36ceb 100644
> --- a/include/libvirt/virterror.h
> +++ b/include/libvirt/virterror.h
> @@ -353,6 +353,7 @@ typedef enum {
>                                             command within timeout (Since: 
> 11.2.0) */
>      VIR_ERR_AGENT_COMMAND_FAILED = 113, /* guest agent responded with failure
>                                             to a command (Since: 11.2.0) */
> +    VIR_ERR_INVALID_ENCR_KEY_SECRET = 114, /* encryption key is invalid 
> (Since: 12.0.0) */


This needs to be updated to 12.1.0 now.


Reviewed-by: Peter Krempa <[email protected]>

Reply via email to