.. role:: since ================= Secret XML format ================= .. contents:: Secret XML ---------- Secrets stored by libvirt may have attributes associated with them, using the ``secret`` element. The ``secret`` element has two optional attributes, each with values '``yes``' and '``no``', and defaulting to '``no``': ``ephemeral`` This secret must only be kept in memory, never stored persistently. ``private`` The value of the secret must not be revealed to any caller of libvirt, nor to any other node. The top-level ``secret`` element may contain the following elements: ``uuid`` An unique identifier for this secret (not necessarily in the UUID format). If omitted when defining a new secret, a random UUID is generated. ``description`` A human-readable description of the purpose of the secret. ``usage`` Specifies what this secret is used for. A mandatory ``type`` attribute specifies the usage category, currently only ``volume``, ``ceph``, ``iscsi``, ``tls``, and ``vtpm`` are defined. Specific usage categories are described below. Usage type "volume" ~~~~~~~~~~~~~~~~~~~ This secret is associated with a volume, whether the format is either for a "luks" encrypted volume. Each volume will have a unique secret associated with it and it is safe to delete the secret after the volume is deleted. The ```` element must contain a single ``volume`` element that specifies the path of the volume this secret is associated with. For example, create a volume-secret.xml file as follows: :: Super secret name of my first puppy 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f /var/lib/libvirt/images/puppyname.img Define the secret and set the passphrase as follows: :: # virsh secret-define volume-secret.xml Secret 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f created See `Setting secret values in virsh`_ on how to set the value of the secret using ``virsh secret-set-value``. The volume type secret can be supplied either in volume XML during creation of a `storage volume `__ in order to provide the passphrase to encrypt the volume or in domain XML `disk device `__ in order to provide the passphrase to decrypt the volume, :since:`since 2.1.0`. An example follows: :: # cat luks-secret.xml LUKS Sample Secret f52a81b2-424e-490c-823d-6bd4235bc57 /var/lib/libvirt/images/luks-sample.img # virsh secret-define luks-secret.xml Secret f52a81b2-424e-490c-823d-6bd4235bc57 created See `Setting secret values in virsh`_ on how to set the value of the secret using ``virsh secret-set-value``. The volume type secret can be supplied in domain XML for a luks storage volume `encryption `__ as follows: :: Usage type "ceph" ~~~~~~~~~~~~~~~~~ This secret is associated with a Ceph RBD (rados block device). The ```` element must contain a single ``name`` element that specifies a usage name for the secret. The Ceph secret can then be used by UUID or by this usage name via the ```` element of a `disk device `__ or a `storage pool (rbd) `__. :since:`Since 0.9.7`. The following is an example of the steps to be taken. First create a ceph-secret.xml file: :: CEPH passphrase example ceph_example Next, use ``virsh secret-define ceph-secret.xml`` to define the secret and ``virsh secret-set-value`` using the generated UUID value and a base64 generated secret value in order to define the chosen secret pass phrase. :: # virsh secret-define ceph-secret.xml Secret 1b40a534-8301-45d5-b1aa-11894ebb1735 created # # virsh secret-list UUID Usage ----------------------------------------------------------- 1b40a534-8301-45d5-b1aa-11894ebb1735 cephx ceph_example See `Setting secret values in virsh`_ on how to set the value of the secret using ``virsh secret-set-value``. The ceph secret can then be used by UUID or by the usage name via the ```` element in a domain's ` `__ element as follows: :: As well as the ```` element in a `storage pool (rbd) `__ ```` element as follows: :: Usage type "iscsi" ~~~~~~~~~~~~~~~~~~ This secret is associated with an iSCSI target for CHAP authentication. The ```` element must contain a single ``target`` element that specifies a usage name for the secret. The iSCSI secret can then be used by UUID or by this usage name via the ```` element of a `disk device `__ or a `storage pool (iscsi) `__. :since:`Since 1.0.4`. The following is an example of the XML that may be used to generate a secret for iSCSI CHAP authentication. Assume the following sample entry in an iSCSI authentication file: :: backing-store /home/tgtd/iscsi-pool/disk1 backing-store /home/tgtd/iscsi-pool/disk2 incominguser myname mysecret Define an iscsi-secret.xml file to describe the secret. Use the ``incominguser`` username used in your iSCSI authentication configuration file as the value for the ``username`` attribute. The ``description`` attribute should contain configuration specific data. The ``target`` name may be any name of your choosing to be used as the ``usage`` when used in the pool or disk XML description. :: Passphrase for the iSCSI example.com server libvirtiscsi Next, use ``virsh secret-define iscsi-secret.xml`` to define the secret and ``virsh secret-set-value`` using the generated UUID value and a base64 generated secret value in order to define the chosen secret pass phrase. The pass phrase must match the password used in the iSCSI authentication configuration file. :: # virsh secret-define secret.xml Secret c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 created # virsh secret-list UUID Usage ----------------------------------------------------------- c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 iscsi libvirtiscsi See `Setting secret values in virsh`_ on how to set the value of the secret using ``virsh secret-set-value``. The iSCSI secret can then be used by UUID or by the usage name via the ```` element in a domain's ` `__ element as follows: :: As well as the ```` element in a `storage pool (iscsi) `__ ```` element as follows: :: Usage type "tls" ~~~~~~~~~~~~~~~~ This secret may be used in order to provide the passphrase for the private key used to provide TLS credentials. The ```` element must contain a single ``name`` element that specifies a usage name for the secret. :since:`Since 2.3.0`. The following is an example of the expected XML and processing to define the secret: :: # cat tls-secret.xml sample tls secret TLS_example # virsh secret-define tls-secret.xml Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created # virsh secret-list UUID Usage ----------------------------------------------------------- 718c71bd-67b5-4a2b-87ec-a24e8ca200dc tls TLS_example A secret may also be defined via the `virSecretDefineXML `__ API. Once the secret is defined, a secret value will need to be set. The secret would be the passphrase used to access the TLS credentials. The following is a simple example of using ``virsh secret-set-value`` to set the secret value. The `virSecretSetValue `__ API may also be used to set a more secure secret without using printable/readable characters. Usage type "vtpm" ~~~~~~~~~~~~~~~~~ This secret is associated with a virtualized TPM (vTPM) and serves as a passphrase for deriving a key from for encrypting the state of the vTPM. The ```` element must contain a single ``name`` element that specifies a usage name for the secret. The vTPM secret can then be used by UUID via the ```` element of a `tpm `__ when using an emulator. :since:`Since 5.6.0`. The following is an example of the steps to be taken. First create a vtpm-secret.xml file: :: # cat vtpm-secret.xml sample vTPM secret VTPM_example # virsh secret-define vtpm-secret.xml Secret 6dd3e4a5-1d76-44ce-961f-f119f5aad935 created # virsh secret-list UUID Usage ---------------------------------------------------------------------------------------- 6dd3e4a5-1d76-44ce-961f-f119f5aad935 vtpm VTPM_example A secret may also be defined via the `virSecretDefineXML `__ API. Once the secret is defined, a secret value will need to be set. The secret would be the passphrase used to decrypt the vTPM state. The following is a simple example of using ``virsh secret-set-value`` to set the secret value. The `virSecretSetValue `__ API may also be used to set a more secure secret without using printable/readable characters. Setting secret values in virsh ------------------------------ To set the value of the secret you can use the following virsh commands. If the secret is a password-like string (printable characters, no newline) you can use: :: # virsh secret-set-value --interactive 6dd3e4a5-1d76-44ce-961f-f119f5aad935 Enter new value for secret: Secret value set Another secure option is to read the secret from a file. This way the secret can contain any bytes (even NUL and non-printable characters). The length of the secret is the length of the input file. Alternatively the ``--plain`` option can be omitted if the file contents are base64-encoded. :: # virsh secret-set-value 6dd3e4a5-1d76-44ce-961f-f119f5aad935 --file secretinfile --plain Secret value set **WARNING** The following approach is **insecure** and deprecated. The secret can also be set via an argument. Note that other users may see the actual secret in the process listing! The secret must be base64 encoded. :: # MYSECRET=`printf %s "open sesame" | base64` # virsh secret-set-value 6dd3e4a5-1d76-44ce-961f-f119f5aad935 $MYSECRET Secret value set