From 9dbf6871e6169c4d6cbee3578907501262f40e5f Mon Sep 17 00:00:00 2001 From: Peter Krempa Date: Fri, 10 Jan 2020 16:35:11 +0100 Subject: [PATCH] docs: secret: Unify and sanitize examples on how to set secret value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Discourage passing secrets as commandline arguments. Signed-off-by: Peter Krempa Reviewed-by: Daniel P. Berrangé --- docs/formatsecret.html.in | 89 +++++++++++++++++++++++++-------------- 1 file changed, 58 insertions(+), 31 deletions(-) diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in index 8f5383cf64..9dc9cdf288 100644 --- a/docs/formatsecret.html.in +++ b/docs/formatsecret.html.in @@ -76,13 +76,13 @@ 
 # virsh secret-define volume-secret.xml
 Secret 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f created
-#
-# MYSECRET=`printf %s "open sesame" | base64`
-# virsh secret-set-value 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f $MYSECRET
-Secret value set
-#
+

+ See virsh secret-set-value on how + to set the value of the secret. +

+

The volume type secret can be supplied either in volume XML during creation of a storage volume @@ -103,12 +103,11 @@ Secret value set # virsh secret-define luks-secret.xml Secret f52a81b2-424e-490c-823d-6bd4235bc57 created -# -# MYSECRET=`printf %s "letmein" | base64` -# virsh secret-set-value f52a81b2-424e-490c-823d-6bd4235bc57 $MYSECRET -Secret value set -# +

+ See virsh secret-set-value on how + to set the value of the secret. +

The volume type secret can be supplied in domain XML for a luks storage @@ -156,13 +155,11 @@ Secret 1b40a534-8301-45d5-b1aa-11894ebb1735 created UUID Usage ----------------------------------------------------------- 1b40a534-8301-45d5-b1aa-11894ebb1735 cephx ceph_example -# -# CEPHPHRASE=`printf %s "pass phrase" | base64` -# virsh secret-set-value 1b40a534-8301-45d5-b1aa-11894ebb1735 $CEPHPHRASE -Secret value set - -# +

+ See virsh secret-set-value on how + to set the value of the secret. +

The ceph secret can then be used by UUID or by the @@ -229,7 +226,9 @@ incominguser myname mysecret

Next, use virsh secret-define iscsi-secret.xml to define - the secret and virsh secret-set-value using the generated + the secret and + virsh secret-set-value + using the generated UUID value and a base64 generated secret value in order to define the chosen secret pass phrase. The pass phrase must match the password used in the iSCSI authentication configuration file. @@ -243,12 +242,13 @@ Secret c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 created ----------------------------------------------------------- c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 iscsi libvirtiscsi -# MYSECRET=`printf %s "mysecret" | base64` -# virsh secret-set-value c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 $MYSECRET -Secret value set -# +

+ See virsh secret-set-value on how + to set the value of the secret. +

+

The iSCSI secret can then be used by UUID or by the usage name via the <auth> element in a domain's @@ -313,19 +313,13 @@ Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created Once the secret is defined, a secret value will need to be set. The secret would be the passphrase used to access the TLS credentials. The following is a simple example of using - virsh secret-set-value to set the secret value. The + virsh secret-set-value to set + the secret value. The virSecretSetValue API may also be used to set a more secure secret without using printable/readable characters.

- 
-# MYSECRET=`printf %s "letmein" | base64`
-# virsh secret-set-value 718c71bd-67b5-4a2b-87ec-a24e8ca200dc $MYSECRET
-Secret value set
-
-
-

Usage type "vtpm"

@@ -370,17 +364,50 @@ Secret 6dd3e4a5-1d76-44ce-961f-f119f5aad935 created Once the secret is defined, a secret value will need to be set. The secret would be the passphrase used to decrypt the vTPM state. The following is a simple example of using - virsh secret-set-value to set the secret value. The + virsh secret-set-value + to set the secret value. The virSecretSetValue API may also be used to set a more secure secret without using printable/readable characters.

+

Setting secret values in virsh

+ +

+ To set the value of the secret you can use the following virsh commands. + If the secret is a password-like string (printable characters, no newline) + you can use: +

+ 
+# virsh secret-set-value --interactive 6dd3e4a5-1d76-44ce-961f-f119f5aad935
+Enter new value for secret:
+Secret value set
+
+ +

+ Another secure option is to read the secret from a file. This way the + secret can contain any bytes (even NUL and non-printable characters). The + length of the secret is the length of the input file. Alternatively the + --plain option can be omitted if the file contents are + base64-encoded. +

+ + 
+# virsh secret-set-value 6dd3e4a5-1d76-44ce-961f-f119f5aad935 --file --plain secretinfile
+Secret value set
+
+ +

+ WARNING The following approach is insecure and deprecated. + The secret can also be set via an argument. Note that other users may see + the actual secret in the process listing! + The secret must be base64 encoded. +

+ 
 # MYSECRET=`printf %s "open sesame" | base64`
 # virsh secret-set-value 6dd3e4a5-1d76-44ce-961f-f119f5aad935 $MYSECRET
 Secret value set
-