Libvirt secrets are stored unencrypted on the disk. With this series we want to start encrypting the secrets. 1. Introduce the GnuTLS decryption wrapper functions that work exact opposite to the encryption wrappers. 2. Add a new service called virt-secrets-init-encryption, that is linked to the virtsecretd service. virtsecretd service only starts after the new service generates a random encryption key. 3. Add a new secrets.conf configuration file that helps user to set a. secrets_encryption_key - allows the user to specify the encryption key file path, in case the default key is not to be used. b. encrypt_data - set to 0 or 1. If set to 1, then the newly added secrets will be encrypted. 4. Add functionality to store the encryption scheme (none, aes256cbc, etc.) to the disk. This will be helpful during service restarts or migrating from an older version. Depending on the scheme, the secrets will be reloaded to the daemon. If no scheme is present in the xml configuration, then the secrets will be stored/loaded in the default base64 encoded format. 5. Once we have the encryption key, and a reliable way to tell the daemon what encryption scheme the secret object is using, we can encrypt the secrets on disk and store them in <uuid>.<encryption_scheme> format. It is important to note that if the encryption key is changed between restarts, then the respective secret will not be loaded by the driver. This is a sincere attempt to improve upon the already submitted patch https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/KE6GV... Resolves: https://issues.redhat.com/browse/RHEL-7125 --- Changes in v2: - Corrected the encryption key length check. It should be 32. - Added a new patch that introduces the encryption scheme attribute. This will help us identify which secrets are encrypted. - A new systemd unit service file added that starts before virtsecretd, helping us to construct a random encryption key and pass it to the virtsecretd service. - Parsing logic of secrets.conf moved to a separate file. - Spec file changes, augeas. Arun Menon (5): util: Add support for GnuTLS decryption secret: Set up default encrypted secret key for the virtsecretd service secret: Add secrets.conf configuration file and parse it secret: Add encryptionScheme attribute to the secrets xml configuration secret: Add functionality to load and save secrets in encrypted format include/libvirt/libvirt-secret.h | 20 ++ libvirt.spec.in | 10 + po/POTFILES | 1 + src/conf/meson.build | 1 + src/conf/schemas/secret.rng | 5 + src/conf/secret_conf.c | 21 +++ src/conf/secret_conf.h | 1 + src/conf/secret_config.c | 207 +++++++++++++++++++++ src/conf/secret_config.h | 48 +++++ src/conf/virsecretobj.c | 165 ++++++++++++---- src/conf/virsecretobj.h | 10 +- src/libvirt_private.syms | 3 + src/secret/libvirt_secrets.aug | 40 ++++ src/secret/meson.build | 26 +++ src/secret/secret-init-encryption.in | 11 ++ src/secret/secret_driver.c | 23 ++- src/secret/secrets.conf.in | 12 ++ src/secret/test_libvirt_secrets.aug.in | 6 + src/secret/virtsecretd.service.extra.in | 8 + src/util/vircrypto.c | 128 ++++++++++++- src/util/vircrypto.h | 8 + src/util/virsecret.c | 4 + src/util/virsecret.h | 1 + tests/secretxml2xmlin/usage-ceph-space.xml | 1 + tests/secretxml2xmlin/usage-ceph.xml | 1 + tests/secretxml2xmlin/usage-iscsi.xml | 1 + tests/secretxml2xmlin/usage-tls.xml | 1 + tests/secretxml2xmlin/usage-volume.xml | 1 + tests/secretxml2xmlin/usage-vtpm.xml | 1 + tests/vircryptotest.c | 65 +++++++ 30 files changed, 788 insertions(+), 42 deletions(-) create mode 100644 src/conf/secret_config.c create mode 100644 src/conf/secret_config.h create mode 100644 src/secret/libvirt_secrets.aug create mode 100644 src/secret/secret-init-encryption.in create mode 100644 src/secret/secrets.conf.in create mode 100644 src/secret/test_libvirt_secrets.aug.in -- 2.51.1