On Thu, Nov 13, 2025 at 19:02:22 +0530, Arun Menon via Devel wrote: > A new configuration file called secrets.conf is introduced to > let the user configure the path to the master encryption key. > This key will be used to encrypt/decrypt the secrets in libvirt. > > By default the path is set to the runtime directory > /run/libvirt/secrets, and it is commented in the config file. > The virtsecretd driver checks if the credentials are available > in the CREDENTIALS_DIRECTORY. In case it is not present, then the > user is expected to provide the encryption key path in secrets.conf
Is there any plan to be able to pass the secret do the secrets driver/daemon in an ephemeral way? Because both the systemd secrets and the config file seem to just store it on the same host. Thus for root-owned files it's just a slightly bigger hurdle rather than any real security. > When systemd will start the secrets driver, it will read the secret.conf > file and check if encrypt_data flag is set to 1. In that case, the secrets > will be stored in encrypted format on the disk. The encryption and decryption > logic will be added in the subsequent patches. > > Signed-off-by: Arun Menon <[email protected]> > --- > libvirt.spec.in | 1 + > src/secret/meson.build | 7 +++ > src/secret/secret_driver.c | 96 ++++++++++++++++++++++++++++++++++++++ > src/secret/secrets.conf.in | 14 ++++++ > 4 files changed, 118 insertions(+) > create mode 100644 src/secret/secrets.conf.in [...] > diff --git a/src/secret/secrets.conf.in b/src/secret/secrets.conf.in > new file mode 100644 > index 0000000000..80bb9654ce > --- /dev/null > +++ b/src/secret/secrets.conf.in > @@ -0,0 +1,14 @@ > +# > +# Master configuration file for the secrets driver. > +# > + > +# The master encryption key is used to override default master encryption > +# key path. The user can create an encryption key and set the > master_encryption_key > +# to the path on which it resides. > +# The key must be atleast 32-bytes long. > +# > +# master_encryption_key = "/run/libvirt/secrets/master.key" > +# > +# The encrypt_data setting is used to indicate if the encryption is on or > off. > +# 0 indicates off and 1 indicates on. By default it is set to on. > +encrypt_data = 1 As the default secret seems to be handed in via systemd, which will it make available to any upgraded installation, I don't think you can unconditionally enable this option as it would break existing un-encrypted secrets.
