Secret values are stored effectively in plaintext on a disk and we rely
on file perms to secure them. But with systemd-cred we can use system's
TPM chip and encrypt them.
Such secrets won't be transferable to another system by simply copying
files stored on disk, but: a) that's not recommended way anyway, b)
one can argue secrets shouldn't be migrated anyway.
Future work consists of encrypting secret values even when stored in
memory, as it's now possible to obtain secrets by dumping memory of
virsecretd. Though, to dump a memory admin rights are required at which
point users can just read values stored on disk (which is not true for
ephemeral secrets).
Michal Prívozník (4):
virsecret: Introduce APIs to talk to systemd-cred
conf: Introduce @tpm attribute to <secret/>
virsecretobj: Encrypt/decrypt secrets using TPM
NEWS: Document new virSecret TPM feature
NEWS.rst | 6 +
docs/formatsecret.rst | 8 +-
src/conf/schemas/secret.rng | 5 +
src/conf/secret_conf.c | 17 +++
src/conf/secret_conf.h | 2 +
src/conf/virsecretobj.c | 32 ++++-
src/libvirt_private.syms | 3 +
src/secret/secret_driver.c | 7 +
src/util/virsecret.c | 170 +++++++++++++++++++++++
src/util/virsecret.h | 10 ++
tests/secretxml2xmlin/usage-tpm-vtpm.xml | 7 +
tests/secretxml2xmltest.c | 1 +
12 files changed, 263 insertions(+), 5 deletions(-)
create mode 100644 tests/secretxml2xmlin/usage-tpm-vtpm.xml
--
2.43.0