On Thu, Nov 13, 2025 at 19:02:22 +0530, Arun Menon via Devel wrote:
A new configuration file called secrets.conf is introduced to let the user configure the path to the master encryption key. This key will be used to encrypt/decrypt the secrets in libvirt.
By default the path is set to the runtime directory /run/libvirt/secrets, and it is commented in the config file. The virtsecretd driver checks if the credentials are available in the CREDENTIALS_DIRECTORY. In case it is not present, then the user is expected to provide the encryption key path in secrets.conf
Is there any plan to be able to pass the secret do the secrets driver/daemon in an ephemeral way? Because both the systemd secrets and the config file seem to just store it on the same host. Thus for root-owned files it's just a slightly bigger hurdle rather than any real security.
When systemd will start the secrets driver, it will read the secret.conf file and check if encrypt_data flag is set to 1. In that case, the secrets will be stored in encrypted format on the disk. The encryption and decryption logic will be added in the subsequent patches.
Signed-off-by: Arun Menon <armenon@redhat.com> --- libvirt.spec.in | 1 + src/secret/meson.build | 7 +++ src/secret/secret_driver.c | 96 ++++++++++++++++++++++++++++++++++++++ src/secret/secrets.conf.in | 14 ++++++ 4 files changed, 118 insertions(+) create mode 100644 src/secret/secrets.conf.in
[...]
diff --git a/src/secret/secrets.conf.in b/src/secret/secrets.conf.in new file mode 100644 index 0000000000..80bb9654ce --- /dev/null +++ b/src/secret/secrets.conf.in @@ -0,0 +1,14 @@ +# +# Master configuration file for the secrets driver. +# + +# The master encryption key is used to override default master encryption +# key path. The user can create an encryption key and set the master_encryption_key +# to the path on which it resides. +# The key must be atleast 32-bytes long. +# +# master_encryption_key = "/run/libvirt/secrets/master.key" +# +# The encrypt_data setting is used to indicate if the encryption is on or off. +# 0 indicates off and 1 indicates on. By default it is set to on. +encrypt_data = 1
As the default secret seems to be handed in via systemd, which will it make available to any upgraded installation, I don't think you can unconditionally enable this option as it would break existing un-encrypted secrets.