]> git.ipfire.org Git - thirdparty/libvirt.git/commitdiff
projects / thirdparty / libvirt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ffc316e)
secret: Set up default encryption secret key for the virtsecretd service
authorArun Menon <armenon@redhat.com>
Tue, 10 Feb 2026 17:56:39 +0000 (23:26 +0530)
committerPeter Krempa <pkrempa@redhat.com>
Thu, 12 Feb 2026 16:07:58 +0000 (17:07 +0100)
This commit sets the foundation for encrypting the libvirt secrets by providing a
secure way to pass a secret encryption key to the virtsecretd service.

A random secret key is generated using the new virt-secret-init-encryption
service. This key can be consumed by the virtsecretd service.

By using the "Before=" directive in the new virt-secret-init-encryption
service and using "Requires=" directive in the virtsecretd service,
we make sure that the daemon is run only after we have an encrypted
secret key file generated and placed in /var/lib/libvirt/secrets.
The virtsecretd service can then read the key from CREDENTIALS_DIRECTORY. [1]

This setup therefore provides a default key out-of-the-box for initial use.
A subsequent commit will introduce the logic for virtsecretd
to access and use this key via the $CREDENTIALS_DIRECTORY environment variable. [2]

[1] https://www.freedesktop.org/software/systemd/man/latest/systemd-creds.html
[2] https://systemd.io/CREDENTIALS/

Signed-off-by: Arun Menon <armenon@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
libvirt.spec.in patch | blob | blame | history
src/meson.build patch | blob | blame | history
src/remote/libvirtd.service.in patch | blob | blame | history
src/secret/meson.build patch | blob | blame | history
src/secret/virt-secret-init-encryption.service.in [new file with mode: 0644] patch | blob
src/secret/virtsecretd.service.extra.in patch | blob | blame | history

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 22c9975d9f926633be984f220a6b2763dc073d50..34a47d689c2bcf08edb776468240d449224ee15e 100644 (file)
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1891,13 +1891,16 @@ exit 0
 %pre daemon-driver-secret
 %libvirt_sysconfig_pre virtsecretd
 %libvirt_systemd_unix_pre virtsecretd
+%libvirt_systemd_oneshot_pre virt-secret-init-encryption
 
 %posttrans daemon-driver-secret
 %libvirt_sysconfig_posttrans virtsecretd
 %libvirt_systemd_unix_posttrans virtsecretd
+%libvirt_systemd_unix_posttrans virt-secret-init-encryption
 
 %preun daemon-driver-secret
 %libvirt_systemd_unix_preun virtsecretd
+%libvirt_systemd_unix_preun virt-secret-init-encryption
 
 %pre daemon-driver-storage-core
 %libvirt_sysconfig_pre virtstoraged
@@ -2249,11 +2252,13 @@ exit 0
 %{_datadir}/augeas/lenses/virtsecretd.aug
 %{_datadir}/augeas/lenses/tests/test_virtsecretd.aug
 %{_unitdir}/virtsecretd.service
+%{_unitdir}/virt-secret-init-encryption.service
 %{_unitdir}/virtsecretd.socket
 %{_unitdir}/virtsecretd-ro.socket
 %{_unitdir}/virtsecretd-admin.socket
 %attr(0755, root, root) %{_sbindir}/virtsecretd
 %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/secrets/
+%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/secrets/
 %ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/secrets/
 %{_libdir}/libvirt/connection-driver/libvirt_driver_secret.so
 %{_mandir}/man8/virtsecretd.8*
diff --git a/src/meson.build b/src/meson.build
index 16875622f46aeb5c990766f779f1c7207fa30853..cab52ce7a30cf4e8c96a68094ed30ac8e7f5334b 100644 (file)
--- a/src/meson.build
+++ b/src/meson.build
@@ -833,6 +833,7 @@ if conf.has('WITH_LIBVIRTD')
         'sbindir': sbindir,
         'sysconfdir': sysconfdir,
         'initconfdir': initconfdir,
+        'localstatedir': localstatedir,
         'name': unit['name'],
         'service': unit['service'],
         'SERVICE': unit['service'].to_upper(),
diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
index b0a062e8858bd99d38e91e426a9fa093d11632d4..7965010a0a79ca5e1664e7cceab2f7a152aed9f5 100644 (file)
--- a/src/remote/libvirtd.service.in
+++ b/src/remote/libvirtd.service.in
@@ -12,6 +12,8 @@ After=libvirtd.socket
 After=libvirtd-ro.socket
 After=libvirtd-admin.socket
 Requires=virtlogd.socket
+Requires=virt-secret-init-encryption.service
+After=virt-secret-init-encryption.service
 Wants=virtlockd.socket
 After=virtlogd.socket
 After=virtlockd.socket
@@ -29,6 +31,8 @@ Conflicts=xendomains.service
 Type=notify-reload
 Environment=LIBVIRTD_ARGS="--timeout 120"
 EnvironmentFile=-@initconfdir@/libvirtd
+Environment=SECRETS_ENCRYPTION_KEY=%d/secrets-encryption-key
+LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key
 ExecStart=@sbindir@/libvirtd $LIBVIRTD_ARGS
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
diff --git a/src/secret/meson.build b/src/secret/meson.build
index 3b859ea7b444edf503f81db524f84bc2fbc9fdc4..b69abe32ab18ae7ab8e2ab62922057cd2a48bd3b 100644 (file)
--- a/src/secret/meson.build
+++ b/src/secret/meson.build
@@ -31,6 +31,18 @@ if conf.has('WITH_SECRETS')
     'name': 'virtsecretd',
   }
 
+  virt_secret_init_encryption_conf = configuration_data()
+
+  virt_secret_init_encryption_conf.set('localstatedir', localstatedir)
+
+  configure_file(
+    input: 'virt-secret-init-encryption.service.in',
+    output: '@0@.service'.format('virt-secret-init-encryption'),
+    configuration: virt_secret_init_encryption_conf,
+    install: true,
+    install_dir: unitdir,
+  )
+
   virt_daemon_units += {
     'service': 'virtsecretd',
     'name': 'secret',
@@ -50,5 +62,6 @@ if conf.has('WITH_SECRETS')
   virt_install_dirs += [
     confdir / 'secrets',
     runstatedir / 'libvirt' / 'secrets',
+    localstatedir / 'lib' / 'libvirt' / 'secrets',
   ]
 endif
diff --git a/src/secret/virt-secret-init-encryption.service.in b/src/secret/virt-secret-init-encryption.service.in
new file mode 100644 (file)
index 0000000..8fd5400
--- /dev/null
+++ b/src/secret/virt-secret-init-encryption.service.in
@@ -0,0 +1,8 @@
+[Unit]
+Before=virtsecretd.service
+Before=libvirtd.service
+ConditionPathExists=!@localstatedir@/lib/libvirt/secrets/secrets-encryption-key
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/sh -c 'umask 0077 && (dd if=/dev/random status=none bs=32 count=1 | systemd-creds encrypt --name=secrets-encryption-key - @localstatedir@/lib/libvirt/secrets/secrets-encryption-key)'
diff --git a/src/secret/virtsecretd.service.extra.in b/src/secret/virtsecretd.service.extra.in
index 1fc8c672f7f669eed7e73ab16676ddd7274e9c5f..116458b22a202ca77e13343677a6478c446763db 100644 (file)
--- a/src/secret/virtsecretd.service.extra.in
+++ b/src/secret/virtsecretd.service.extra.in
@@ -1,2 +1,10 @@
 # The contents of this unit will be merged into a base template.
 # Additional units might be merged as well. See meson.build for details.
+#
+[Unit]
+Requires=virt-secret-init-encryption.service
+After=virt-secret-init-encryption.service
+
+[Service]
+LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key
+Environment=SECRETS_ENCRYPTION_KEY=%d/secrets-encryption-key
Mirror of https://github.com/libvirt/libvirt.git