Hi Daniel, On Mon, Jan 05, 2026 at 05:44:24PM +0000, Daniel P. Berrangé wrote:
On Tue, Dec 16, 2025 at 12:22:05PM +0530, Arun Menon via Devel wrote:
Libvirt secrets are stored unencrypted on the disk. With this series we want to start encrypting the secrets.
1. Introduce the GnuTLS decryption wrapper functions that work exact opposite to the encryption wrappers.
2. Add a new service called virt-secrets-init-encryption, that is linked to the virtsecretd and libvirtd service. virtsecretd and libvirtd services only starts after the new service generates a random encryption key.
3. Add a new secret.conf configuration file that helps user to set a. secrets_encryption_key - allows the user to specify the encryption key file path, in case the default key is not to be used. b. encrypt_data - set to 0 or 1. If set to 1, then the newly added secrets will be encrypted.
4. Rename the file name attribute in virSecretObj structure to secretValueFile.
5. Once we have the encryption key, and a reliable way to tell the daemon what encryption scheme the secret object is using, we can encrypt the secrets on disk and store them in <uuid>.<encryption_scheme> format. It is important to note that if the encryption key is changed between restarts, then the respective secret will not be loaded by the driver.
This is a sincere attempt to improve upon the already submitted patch https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/KE6GV...
After building this series, I attempt 'systemctl start virtsecret' which failed because /var/lib/libvirt/secrets/ did not exist.
We need a suitable meson rule to create that directory, and it must also be added to the RPM spec.
With that fixed locally, I can see that it correctly auto-creates the systemd credential and encrypts new secrets
Thank you. I might have created that directory manually and forgot to delete it before testing. I shall amend.
With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Regards, Arun