Libvirt secrets are stored unencrypted on the disk. With this series we want to start encrypting the secrets.
First we introduce a secrets.conf file that has 2 configuration settings. 1. encrypt_data - This can be set to 0 or 1. If it is set to 1 then we encrypt the secrets. We recommend to keep this as the default setting. 2. master_encryption_key - This allows the user to set the path of the encryption file. The secrets.conf file is parsed during secrets driver initialization and accordingly the secrets are stored on the disk. By default the secrets driver will look into the CREDENTIALS_DIRECTORY environment variable in systemd. The systemd unit file is configured with a pre configured key using the SetCredentialEncrypted directive. This encrypted secret key is provided to the virtsecretd on service activation. If this file is not available, then the virtsecretd driver will check the master_encryption_key configuration in secrets.conf file, provided it is made available by the user. A boolean flag called value_encrypted is added to the secrets object, to indicate whether it is encrypted or not. This is not stored on the disk yet. It is important to add this functionality so that the secrets service behaves properly across restarts. This is a sincere attempt to improve upon the already submitted patch https://lists.libvirt.org/archives/list/[email protected]/thread/KE6GVZQ45JTYFTE54CT7DMONSO2W3ZPV/ Resolves: https://issues.redhat.com/browse/RHEL-7125 Arun Menon (4): util: Add support for GnuTLS decryption secret: Set up default encrypted master key for the virtsecretd service secret: Add secrets.conf configuration file and parse it secret: Add functionality to load and save secrets in encrypted format libvirt.spec.in | 1 + src/conf/virsecretobj.c | 13 ++ src/conf/virsecretobj.h | 7 + src/libvirt_private.syms | 3 + src/secret/meson.build | 7 + src/secret/secret_driver.c | 168 +++++++++++++++++++++++- src/secret/secrets.conf.in | 14 ++ src/secret/virtsecretd.service.extra.in | 8 ++ src/util/vircrypto.c | 130 +++++++++++++++++- src/util/vircrypto.h | 8 ++ tests/vircryptotest.c | 65 +++++++++ 11 files changed, 420 insertions(+), 4 deletions(-) create mode 100644 src/secret/secrets.conf.in -- 2.51.1
