Libvirt secrets are stored unencrypted on the disk. With this series we want to start encrypting the secrets. 1. Introduce the GnuTLS decryption wrapper functions that work exact opposite to the encryption wrappers. The new test added works fine because during test execution, we use the mock implementation of virRandomBytes while generating the iv and the key. 2. Add a new service called virt-secrets-init-encryption, that is linked to the virtsecretd service. virtsecretd service only starts after the new service generates a random encryption key. 3. Add a new secret.conf configuration file that helps user to set a. secrets_encryption_key - allows the user to specify the encryption key file path, in case the default key is not to be used. b. encrypt_data - set to 0 or 1. If set to 1, then the newly added secrets will be encrypted. 4. Add encryption scheme or cipher attribute that will allow us to choose the last used cipher. New modes can be added to the enum. 5. Once we have the encryption key, and a reliable way to tell the daemon what encryption scheme the secret object must use, we can encrypt the secrets on disk and store them in <uuid>.<encryption_scheme> format. It is important to note that if the encryption key is changed between restarts, then the respective secret will not be loaded by the driver. This is a sincere attempt to improve upon the already submitted patch https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/KE6GV... Resolves: https://issues.redhat.com/browse/RHEL-7125 RFC: https://patchew.org/Libvirt/20251127072232.38426-1-armenon@redhat.com/ --- Changes in v1: - Previously, encrypt_data was set to 1 regardless of what is present in the secrets config file. This is now changed. encrypt_data is first read from the config file, and it is set to 1 only if secrets_encryption_key is not NULL or if systemd credential named "secrets-encryption-key" exists. - Rename from secrets.conf to secret.conf. Move secrets_config.c from src/conf to src/secret/ - Add a special error code 'VIR_ERR_INVALID_ENCR_KEY_SECRET' for when the secret key length is invalid. - Add the 2 directives to load credential into libvirtd service as well. Rename unit file name from secret-init-encryption.in to virt-secret-init-encryption.service.in. - Remove unnecessary configuration settings and make it inline. Arun Menon (5): util: Add support for GnuTLS decryption secret: Set up default encryption secret key for the virtsecretd service secret: Add secret.conf configuration file and parse it secret: Add encryptionSchemeType attribute to store ciphers secret: Add functionality to load and save secrets in encrypted format include/libvirt/virterror.h | 1 + libvirt.spec.in | 7 + po/POTFILES | 1 + src/conf/secret_conf.c | 6 + src/conf/secret_conf.h | 9 + src/conf/virsecretobj.c | 184 ++++++++++++++---- src/conf/virsecretobj.h | 18 +- src/libvirt_private.syms | 1 + src/meson.build | 1 + src/remote/libvirtd.service.in | 2 + src/secret/libvirt_secrets.aug | 40 ++++ src/secret/meson.build | 34 ++++ src/secret/secret.conf.in | 14 ++ src/secret/secret_config.c | 171 ++++++++++++++++ src/secret/secret_config.h | 40 ++++ src/secret/secret_driver.c | 34 +++- src/secret/test_libvirt_secrets.aug.in | 6 + .../virt-secret-init-encryption.service.in | 7 + src/secret/virtsecretd.service.extra.in | 8 + src/util/vircrypto.c | 126 +++++++++++- src/util/vircrypto.h | 8 + src/util/virerror.c | 3 + tests/vircryptotest.c | 65 +++++++ 23 files changed, 736 insertions(+), 50 deletions(-) create mode 100644 src/secret/libvirt_secrets.aug create mode 100644 src/secret/secret.conf.in create mode 100644 src/secret/secret_config.c create mode 100644 src/secret/secret_config.h create mode 100644 src/secret/test_libvirt_secrets.aug.in create mode 100644 src/secret/virt-secret-init-encryption.service.in -- 2.51.1