On Tue, Feb 10, 2026 at 13:30:12 +0530, Arun Menon via Devel wrote:
Document the new encryption of secrets feature in secretencryption.rst.
Signed-off-by: Arun Menon <armenon@redhat.com> --- docs/drvsecret.rst | 4 ++ docs/meson.build | 1 + docs/secretencryption.rst | 105 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 110 insertions(+) create mode 100644 docs/secretencryption.rst
[...]
+ +Upgrading Libvirt for secret encryption +--------------------------------------- +Starting 12.1.0, secrets can be stored on the disk in an encrypted format, rather than
This could also use the 'since' role.
+the default base64 encoding. + +Any secret created before upgrading libvirt, remain stored in their original base64 +format on the disk. +A pre-existing secret will only be encrypted if you explicitly update its value using +**virsh secret-set-value** after the upgrade, provided that encryption is enabled in +secret.conf configuration file. + +It is important to note that encrypted secrets are not backwards compatible. In case of +a downgrade to an older version of libvirt, the encrypted secrets will not be loaded from +the disk. Therefore, before reverting to an older version libvirt, make sure that all the +secrets have been reverted to the standard base64 format, to avoid service disruptions.
Reviewed-by: Peter Krempa <pkrempa@redhat.com>