1 <?xml version=
"1.0" encoding=
"UTF-8"?>
3 <html xmlns=
"http://www.w3.org/1999/xhtml">
5 <h1>Secret XML format
</h1>
9 <h2><a id=
"SecretAttributes">Secret XML
</a></h2>
12 Secrets stored by libvirt may have attributes associated with them, using
13 the
<code>secret
</code> element. The
<code>secret
</code> element has two
14 optional attributes, each with values '
<code>yes
</code>' and
15 '
<code>no
</code>', and defaulting to '
<code>no
</code>':
18 <dt><code>ephemeral
</code></dt>
19 <dd>This secret must only be kept in memory, never stored persistently.
21 <dt><code>private
</code></dt>
22 <dd>The value of the secret must not be revealed to any caller of libvirt,
23 nor to any other node.
27 The top-level
<code>secret
</code> element may contain the following
31 <dt><code>uuid
</code></dt>
33 An unique identifier for this secret (not necessarily in the UUID
34 format). If omitted when defining a new secret, a random UUID is
37 <dt><code>description
</code></dt>
38 <dd>A human-readable description of the purpose of the secret.
40 <dt><code>usage
</code></dt>
42 Specifies what this secret is used for. A mandatory
43 <code>type
</code> attribute specifies the usage category, currently
44 only
<code>volume
</code>,
<code>ceph
</code>,
<code>iscsi
</code>,
45 <code>tls
</code>, and
<code>vtpm
</code> are defined. Specific usage
46 categories are described below.
50 <h3><a id=
"VolumeUsageType">Usage type
"volume"</a></h3>
53 This secret is associated with a volume, whether the format is either
54 for a
"luks" encrypted volume. Each volume will have a
55 unique secret associated with it and it is safe to delete the
56 secret after the volume is deleted. The
57 <code><usage type='volume'
></code> element must contain a
58 single
<code>volume
</code> element that specifies the path of the volume
59 this secret is associated with. For example, create a volume-secret.xml
64 <secret ephemeral='no' private='yes'
>
65 <description
>Super secret name of my first puppy
</description
>
66 <uuid
>0a81f5b2-
8403-
7b23-c8d6-
21ccc2f80d6f
</uuid
>
67 <usage type='volume'
>
68 <volume
>/var/lib/libvirt/images/puppyname.img
</volume
>
74 Define the secret and set the passphrase as follows:
77 # virsh secret-define volume-secret.xml
78 Secret
0a81f5b2-
8403-
7b23-c8d6-
21ccc2f80d6f created
80 # MYSECRET=`printf %s
"open sesame" | base64`
81 # virsh secret-set-value
0a81f5b2-
8403-
7b23-c8d6-
21ccc2f80d6f $MYSECRET
87 The volume type secret can be supplied either in volume XML during
88 creation of a
<a href=
"formatstorage.html#StorageVol">storage volume
</a>
89 in order to provide the passphrase to encrypt the volume or in
90 domain XML
<a href=
"formatdomain.html#elementsDisks">disk device
</a>
91 in order to provide the passphrase to decrypt the volume,
92 <span class=
"since">since
2.1.0</span>. An example follows:
96 <secret ephemeral='no' private='yes'
>
97 <description
>LUKS Sample Secret
</description
>
98 <uuid
>f52a81b2-
424e-490c-
823d-
6bd4235bc57
</uuid
>
99 <usage type='volume'
>
100 <volume
>/var/lib/libvirt/images/luks-sample.img
</volume
>
104 # virsh secret-define luks-secret.xml
105 Secret f52a81b2-
424e-490c-
823d-
6bd4235bc57 created
107 # MYSECRET=`printf %s
"letmein" | base64`
108 # virsh secret-set-value f52a81b2-
424e-490c-
823d-
6bd4235bc57 $MYSECRET
114 The volume type secret can be supplied in domain XML for a luks storage
115 volume
<a href=
"formatstorageencryption.html">encryption
</a> as follows:
118 <encryption format='luks'
>
119 <secret type='passphrase' uuid='f52a81b2-
424e-490c-
823d-
6bd4235bc57'/
>
123 <h3><a id=
"CephUsageType">Usage type
"ceph"</a></h3>
125 This secret is associated with a Ceph RBD (rados block device).
126 The
<code><usage type='ceph'
></code> element must contain
127 a single
<code>name
</code> element that specifies a usage name
128 for the secret. The Ceph secret can then be used by UUID or by
129 this usage name via the
<code><auth
></code> element of
130 a
<a href=
"formatdomain.html#elementsDisks">disk device
</a> or
131 a
<a href=
"formatstorage.html">storage pool (rbd)
</a>.
132 <span class=
"since">Since
0.9.7</span>. The following is an example
133 of the steps to be taken. First create a ceph-secret.xml file:
137 <secret ephemeral='no' private='yes'
>
138 <description
>CEPH passphrase example
</description
>
139 <usage type='ceph'
>
140 <name
>ceph_example
</name
>
146 Next, use
<code>virsh secret-define ceph-secret.xml
</code> to define
147 the secret and
<code>virsh secret-set-value
</code> using the generated
148 UUID value and a base64 generated secret value in order to define the
149 chosen secret pass phrase.
152 # virsh secret-define ceph-secret.xml
153 Secret
1b40a534-
8301-
45d5-b1aa-
11894ebb1735 created
157 -----------------------------------------------------------
158 1b40a534-
8301-
45d5-b1aa-
11894ebb1735 cephx ceph_example
160 # CEPHPHRASE=`printf %s
"pass phrase" | base64`
161 # virsh secret-set-value
1b40a534-
8301-
45d5-b1aa-
11894ebb1735 $CEPHPHRASE
168 The ceph secret can then be used by UUID or by the
169 usage name via the
<code><auth
></code> element in a domain's
170 <a href=
"formatdomain.html#elementsDisks"><code><disk
></code></a>
174 <auth username='myname'
>
175 <secret type='ceph' usage='ceph_example'/
>
180 As well as the
<code><auth
></code> element in a
181 <a href=
"formatstorage.html">storage pool (rbd)
</a>
182 <code><source
></code> element as follows:
185 <auth type='ceph' username='myname'
>
186 <secret usage='ceph_example'/
>
190 <h3><a id=
"iSCSIUsageType">Usage type
"iscsi"</a></h3>
193 This secret is associated with an iSCSI target for CHAP authentication.
194 The
<code><usage type='iscsi'
></code> element must contain
195 a single
<code>target
</code> element that specifies a usage name
196 for the secret. The iSCSI secret can then be used by UUID or by
197 this usage name via the
<code><auth
></code> element of
198 a
<a href=
"formatdomain.html#elementsDisks">disk device
</a> or
199 a
<a href=
"formatstorage.html">storage pool (iscsi)
</a>.
200 <span class=
"since">Since
1.0.4</span>. The following is an example
201 of the XML that may be used to generate a secret for iSCSI CHAP
202 authentication. Assume the following sample entry in an iSCSI
206 <target iqn
.2013-
07.com.example:iscsi-pool
>
207 backing-store /home/tgtd/iscsi-pool/disk1
208 backing-store /home/tgtd/iscsi-pool/disk2
209 incominguser myname mysecret
213 Define an iscsi-secret.xml file to describe the secret. Use the
214 <code>incominguser
</code> username used in your iSCSI authentication
215 configuration file as the value for the
<code>username
</code> attribute.
216 The
<code>description
</code> attribute should contain configuration
217 specific data. The
<code>target
</code> name may be any name of your
218 choosing to be used as the
<code>usage
</code> when used in the pool
219 or disk XML description.
222 <secret ephemeral='no' private='yes'
>
223 <description
>Passphrase for the iSCSI example.com server
</description
>
224 <usage type='iscsi'
>
225 <target
>libvirtiscsi
</target
>
231 Next, use
<code>virsh secret-define iscsi-secret.xml
</code> to define
232 the secret and
<code>virsh secret-set-value
</code> using the generated
233 UUID value and a base64 generated secret value in order to define the
234 chosen secret pass phrase. The pass phrase must match the password
235 used in the iSCSI authentication configuration file.
238 # virsh secret-define secret.xml
239 Secret c4dbe20b-b1a3-
4ac1-b6e6-
2ac97852ebb6 created
243 -----------------------------------------------------------
244 c4dbe20b-b1a3-
4ac1-b6e6-
2ac97852ebb6 iscsi libvirtiscsi
246 # MYSECRET=`printf %s
"mysecret" | base64`
247 # virsh secret-set-value c4dbe20b-b1a3-
4ac1-b6e6-
2ac97852ebb6 $MYSECRET
253 The iSCSI secret can then be used by UUID or by the
254 usage name via the
<code><auth
></code> element in a domain's
255 <a href=
"formatdomain.html#elementsDisks"><code><disk
></code></a>
259 <auth username='myname'
>
260 <secret type='iscsi' usage='libvirtiscsi'/
>
265 As well as the
<code><auth
></code> element in a
266 <a href=
"formatstorage.html">storage pool (iscsi)
</a>
267 <code><source
></code> element as follows:
270 <auth type='chap' username='myname'
>
271 <secret usage='libvirtiscsi'/
>
275 <h3><a id=
"tlsUsageType">Usage type
"tls"</a></h3>
278 This secret may be used in order to provide the passphrase for the
279 private key used to provide TLS credentials.
280 The
<code><usage type='tls'
></code> element must contain a
281 single
<code>name
</code> element that specifies a usage name
283 <span class=
"since">Since
2.3.0</span>.
284 The following is an example of the expected XML and processing to
290 <secret ephemeral='no' private='yes'
>
291 <description
>sample tls secret
</description
>
292 <usage type='tls'
>
293 <name
>TLS_example
</name
>
297 # virsh secret-define tls-secret.xml
298 Secret
718c71bd-
67b5-
4a2b-
87ec-a24e8ca200dc created
302 -----------------------------------------------------------
303 718c71bd-
67b5-
4a2b-
87ec-a24e8ca200dc tls TLS_example
309 A secret may also be defined via the
310 <a href=
"html/libvirt-libvirt-secret.html#virSecretDefineXML">
311 <code>virSecretDefineXML
</code></a> API.
313 Once the secret is defined, a secret value will need to be set. The
314 secret would be the passphrase used to access the TLS credentials.
315 The following is a simple example of using
316 <code>virsh secret-set-value
</code> to set the secret value. The
317 <a href=
"html/libvirt-libvirt-secret.html#virSecretSetValue">
318 <code>virSecretSetValue
</code></a> API may also be used to set
319 a more secure secret without using printable/readable characters.
323 # MYSECRET=`printf %s
"letmein" | base64`
324 # virsh secret-set-value
718c71bd-
67b5-
4a2b-
87ec-a24e8ca200dc $MYSECRET
329 <h3><a id=
"vTPMUsageType">Usage type
"vtpm"</a></h3>
332 This secret is associated with a virtualized TPM (vTPM) and serves
333 as a passphrase for deriving a key from for encrypting the state
335 The
<code><usage type='vtpm'
></code> element must contain
336 a single
<code>name
</code> element that specifies a usage name
337 for the secret. The vTPM secret can then be used by UUID or by
338 this usage name via the
<code><encryption
></code> element of
339 a
<a href=
"formatdomain.html#elementsTpm">tpm
</a> when using an
341 <span class=
"since">Since
5.6.0</span>. The following is an example
342 of the steps to be taken. First create a vtpm-secret.xml file:
</p>
345 # cat vtpm-secret.xml
346 <secret ephemeral='no' private='yes'
>
347 <description
>sample vTPM secret
</description
>
348 <usage type='vtpm'
>
349 <name
>VTPM_example
</name
>
353 # virsh secret-define vtpm-secret.xml
354 Secret
6dd3e4a5-
1d76-
44ce-
961f-f119f5aad935 created
358 ----------------------------------------------------------------------------------------
359 6dd3e4a5-
1d76-
44ce-
961f-f119f5aad935 vtpm VTPM_example
366 A secret may also be defined via the
367 <a href=
"html/libvirt-libvirt-secret.html#virSecretDefineXML">
368 <code>virSecretDefineXML
</code></a> API.
370 Once the secret is defined, a secret value will need to be set. The
371 secret would be the passphrase used to decrypt the vTPM state.
372 The following is a simple example of using
373 <code>virsh secret-set-value
</code> to set the secret value. The
374 <a href=
"html/libvirt-libvirt-secret.html#virSecretSetValue">
375 <code>virSecretSetValue
</code></a> API may also be used to set
376 a more secure secret without using printable/readable characters.
380 # MYSECRET=`printf %s
"open sesame" | base64`
381 # virsh secret-set-value
6dd3e4a5-
1d76-
44ce-
961f-f119f5aad935 $MYSECRET