[RFC v3 4/5] secret: Add encryptionSchemeType attribute to store ciphers

Wed, 26 Nov 2025 23:31:56 -0800 

The new attribute will store the available ciphers with which secrets
can be encrypted. At the moment only aes256cbc encryption method is used.
This can be extended in future.

Rename the file name structure attribute from base64File to secretValueFile.

Signed-off-by: Arun Menon <[email protected]>
---
 include/libvirt/libvirt-secret.h | 20 ++++++++++++++++++++
 src/conf/secret_conf.h           |  1 +
 src/conf/virsecretobj.c          | 22 +++++++++++-----------
 src/util/virsecret.c             |  4 ++++
 src/util/virsecret.h             |  1 +
 5 files changed, 37 insertions(+), 11 deletions(-)

diff --git a/include/libvirt/libvirt-secret.h b/include/libvirt/libvirt-secret.h
index 761437d4ad..768c92c10c 100644
--- a/include/libvirt/libvirt-secret.h
+++ b/include/libvirt/libvirt-secret.h
@@ -70,6 +70,26 @@ typedef enum {
 # endif
 } virSecretUsageType;
 
+/**
+ * virSecretEncryptionSchemeType:
+ *
+ * Since: 11.10.0
+ */
+typedef enum {
+    VIR_SECRET_ENCRYPTION_SCHEME_NONE = 0, /* (Since: 11.10.0) */
+    VIR_SECRET_ENCRYPTION_SCHEME_AES256CBC = 1, /* (Since: 11.10.0) */
+# ifdef VIR_ENUM_SENTINELS
+    VIR_SECRET_ENCRYPTION_SCHEME_LAST
+    /*
+     * NB: this enum value will increase over time as new encryption schemes 
are
+     * added to the libvirt API. It reflects the last enncryption scheme 
supported
+     * by this version of the libvirt API.
+     *
+     * Since: 11.10.0
+     */
+# endif
+} virSecretEncryptionSchemeType;
+
 virConnectPtr           virSecretGetConnect     (virSecretPtr secret);
 int                     virConnectNumOfSecrets  (virConnectPtr conn);
 int                     virConnectListSecrets   (virConnectPtr conn,
diff --git a/src/conf/secret_conf.h b/src/conf/secret_conf.h
index 8f8f47933a..a12bc8e095 100644
--- a/src/conf/secret_conf.h
+++ b/src/conf/secret_conf.h
@@ -30,6 +30,7 @@ struct _virSecretDef {
     char *description;          /* May be NULL */
     virSecretUsageType usage_type;
     char *usage_id; /* May be NULL */
+    virSecretEncryptionSchemeType encryption_scheme; /* 
virSecretEncryptionSchemeType */
 };
 
 void virSecretDefFree(virSecretDef *def);
diff --git a/src/conf/virsecretobj.c b/src/conf/virsecretobj.c
index 66270e2751..a3dd7983bb 100644
--- a/src/conf/virsecretobj.c
+++ b/src/conf/virsecretobj.c
@@ -39,7 +39,7 @@ VIR_LOG_INIT("conf.virsecretobj");
 struct _virSecretObj {
     virObjectLockable parent;
     char *configFile;
-    char *base64File;
+    char *secretValueFile;
     virSecretDef *def;
     unsigned char *value;       /* May be NULL */
     size_t value_size;
@@ -139,7 +139,7 @@ virSecretObjDispose(void *opaque)
         g_free(obj->value);
     }
     g_free(obj->configFile);
-    g_free(obj->base64File);
+    g_free(obj->secretValueFile);
 }
 
 
@@ -378,11 +378,11 @@ virSecretObjListAdd(virSecretObjList *secrets,
         if (!(obj = virSecretObjNew()))
             goto cleanup;
 
-        /* Generate the possible configFile and base64File strings
+        /* Generate the possible configFile and secretValueFile strings
          * using the configDir, uuidstr, and appropriate suffix
          */
         if (!(obj->configFile = virFileBuildPath(configDir, uuidstr, ".xml")) 
||
-            !(obj->base64File = virFileBuildPath(configDir, uuidstr, 
".base64")))
+            !(obj->secretValueFile = virFileBuildPath(configDir, uuidstr, 
".base64")))
             goto cleanup;
 
         if (virHashAddEntry(secrets->objs, uuidstr, obj) < 0)
@@ -656,7 +656,7 @@ virSecretObjDeleteData(virSecretObj *obj)
 {
     /* The configFile will already be removed, so secret won't be
      * loaded again if this fails */
-    unlink(obj->base64File);
+    unlink(obj->secretValueFile);
 }
 
 
@@ -691,7 +691,7 @@ virSecretObjSaveData(virSecretObj *obj)
 
     base64 = g_base64_encode(obj->value, obj->value_size);
 
-    if (virFileRewriteStr(obj->base64File, S_IRUSR | S_IWUSR, base64) < 0)
+    if (virFileRewriteStr(obj->secretValueFile, S_IRUSR | S_IWUSR, base64) < 0)
         return -1;
 
     return 0;
@@ -813,26 +813,26 @@ virSecretLoadValue(virSecretObj *obj)
     struct stat st;
     g_autofree char *contents = NULL;
 
-    if ((fd = open(obj->base64File, O_RDONLY)) == -1) {
+    if ((fd = open(obj->secretValueFile, O_RDONLY)) == -1) {
         if (errno == ENOENT) {
             ret = 0;
             goto cleanup;
         }
         virReportSystemError(errno, _("cannot open '%1$s'"),
-                             obj->base64File);
+                             obj->secretValueFile);
         goto cleanup;
     }
 
     if (fstat(fd, &st) < 0) {
         virReportSystemError(errno, _("cannot stat '%1$s'"),
-                             obj->base64File);
+                             obj->secretValueFile);
         goto cleanup;
     }
 
     if ((size_t)st.st_size != st.st_size) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        _("'%1$s' file does not fit in memory"),
-                       obj->base64File);
+                       obj->secretValueFile);
         goto cleanup;
     }
 
@@ -845,7 +845,7 @@ virSecretLoadValue(virSecretObj *obj)
 
     if (saferead(fd, contents, st.st_size) != st.st_size) {
         virReportSystemError(errno, _("cannot read '%1$s'"),
-                             obj->base64File);
+                             obj->secretValueFile);
         goto cleanup;
     }
     contents[st.st_size] = '\0';
diff --git a/src/util/virsecret.c b/src/util/virsecret.c
index 8e74df3b93..c9d9cf2c8a 100644
--- a/src/util/virsecret.c
+++ b/src/util/virsecret.c
@@ -36,6 +36,10 @@ VIR_ENUM_IMPL(virSecretUsage,
               VIR_SECRET_USAGE_TYPE_LAST,
               "none", "volume", "ceph", "iscsi", "tls", "vtpm",
 );
+VIR_ENUM_IMPL(virSecretEncryptionScheme,
+              VIR_SECRET_ENCRYPTION_SCHEME_LAST,
+              "none", "aes256cbc",
+);
 
 void
 virSecretLookupDefClear(virSecretLookupTypeDef *def)
diff --git a/src/util/virsecret.h b/src/util/virsecret.h
index c803f0fe33..01998e307d 100644
--- a/src/util/virsecret.h
+++ b/src/util/virsecret.h
@@ -27,6 +27,7 @@
 #include "virenum.h"
 
 VIR_ENUM_DECL(virSecretUsage);
+VIR_ENUM_DECL(virSecretEncryptionScheme);
 
 typedef enum {
     VIR_SECRET_LOOKUP_TYPE_NONE,
-- 
2.51.1

Reply via email to