On Thu, Nov 13, 2025 at 07:02:21PM +0530, Arun Menon wrote:
This commit sets the foundation for encrypting the libvirt secrets by providing a secure way to pass a master encryption key to the virtsecretd service.
Add a default, pre-generated, master encryption key to the credentials, that can be consumed by the virtsecretd service. By using the "SetCredentialEncrypted=" directive, we make sure that passing data to the service is secure. The virtsecretd service can then read the key from CREDENTIALS_DIRECTORY. [1]
This setup therefore provides a default key out-of-the-box for initial use. Users can customize this setting, by replacing the default encrypted string with their own. A subsequent commit will introduce the logic for virtsecretd to access and use this key via the $CREDENTIALS_DIRECTORY environment variable. [2]
In order to add the default encryption key, a random 32 byte key was generated and encrypted: dd if=/dev/urandom of=/tmp/master.key bs=1 count=32 systemd-creds encrypt --name=master-encryption-key -p /tmp/master.key -
This generates a SetCredentialEncrypted= line suitable for inclusion in the unit file.
[1] https://www.freedesktop.org/software/systemd/man/latest/systemd-creds.html [2] https://systemd.io/CREDENTIALS/
Signed-off-by: Arun Menon <armenon@redhat.com> --- src/secret/virtsecretd.service.extra.in | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/src/secret/virtsecretd.service.extra.in b/src/secret/virtsecretd.service.extra.in index 1fc8c672f7..0f65bc3bb1 100644 --- a/src/secret/virtsecretd.service.extra.in +++ b/src/secret/virtsecretd.service.extra.in @@ -1,2 +1,10 @@ # The contents of this unit will be merged into a base template. # Additional units might be merged as well. See meson.build for details. +# +[Service] +Environment=MASTER_ENCRYPTION_KEY=%d/master-encryption-key +SetCredentialEncrypted=master-encryption-key: \ + Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAD9m5CsEfoZf8Lj/dQAAAAAFSvJ7 \ + eSEmqQthu+A4Eqn4vEKp6jx7ScbcM98bcW5Do0K9V0eTPWD+eNJJrB+xS/MAklo3rkf0S \ + 7n7rXk8SQZ0FQ5Uv8ZoOuidWPHHiLZGS9bxAJwTZvN/VX+pe+biC16 +LoadCredentialEncrypted=master-encryption-key
We cannot ship with a hardcoded default secret - that is an instant CVE. We need to have an 'ExecStartPre=' directive that auto-generates a secret on first use. ExecStartPre=test -f /var/lib/libvirt/secrets/encryption.key || (dd if=/dev/urandom status=none bs=1 count=32 | systemd-creds encrypt --name=master-encryption-key - /var/lib/libvirt/secrets/encryption.key) Also, bs=32 count=1 is preferrable to bs=1 count=32 as we don't want to be doing single byte reads & writes. and then use LoadCredentialEncrypted=master-encryption-key:/var/lib/libvirt/secrets/encryption.key Also, lets call this 'secrets-encryption-key', and likewise SECRETS_ENCRYPTION_KEY as the env variable. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|