On Fri, Jan 09, 2026 at 23:39:32 +0530, Arun Menon via Devel wrote: > This commit sets the foundation for encrypting the libvirt secrets by > providing a > secure way to pass a secret encryption key to the virtsecretd service. > > A random secret key is generated using the new virt-secret-init-encryption > service. This key can be consumed by the virtsecretd service. > > By using the "Before=" directive in the new virt-secret-init-encryption > service and using "Requires=" directive in the virtsecretd service, > we make sure that the daemon is run only after we have an encrypted > secret key file generated and placed in /var/lib/libvirt/secrets. > The virtsecretd service can then read the key from CREDENTIALS_DIRECTORY. [1] > > This setup therefore provides a default key out-of-the-box for initial use. > A subsequent commit will introduce the logic for virtsecretd > to access and use this key via the $CREDENTIALS_DIRECTORY environment > variable. [2] > > [1] https://www.freedesktop.org/software/systemd/man/latest/systemd-creds.html > [2] https://systemd.io/CREDENTIALS/ > > Signed-off-by: Arun Menon <[email protected]> > --- > libvirt.spec.in | 5 +++++ > src/meson.build | 1 + > src/remote/libvirtd.service.in | 4 ++++ > src/secret/meson.build | 13 +++++++++++++ > src/secret/virt-secret-init-encryption.service.in | 8 ++++++++ > src/secret/virtsecretd.service.extra.in | 8 ++++++++ > 6 files changed, 39 insertions(+) > create mode 100644 src/secret/virt-secret-init-encryption.service.in
[...] > diff --git a/src/secret/virt-secret-init-encryption.service.in > b/src/secret/virt-secret-init-encryption.service.in > new file mode 100644 > index 0000000000..44940bd72b > --- /dev/null > +++ b/src/secret/virt-secret-init-encryption.service.in > @@ -0,0 +1,8 @@ > +[Unit] > +Before=virtsecretd.service > +Before=libvirtd.service > +ConditionPathExists=!@localstatedir@/lib/libvirt/secrets/secrets-encryption-key > + > +[Service] > +Type=oneshot > +ExecStart=/usr/bin/sh -c 'umask 0066 && (dd if=/dev/urandom status=none > bs=32 count=1 | systemd-creds encrypt --name=secrets-encryption-key - > @localstatedir@/lib/libvirt/secrets/secrets-encryption-key)' AFAIU /dev/random should be used for any crypto-related stuff. /dev/urandom was discouraged e.g. when we've used it as the default backing for the RNG device.
