formatsecret.html.in

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <body>
    <h1>Secret XML format</h1>

    <ul id="toc"></ul>

    <h2><a name="SecretAttributes">Secret XML</a></h2>

    <p>
      Secrets stored by libvirt may have attributes associated with them, using
      the <code>secret</code> element.  The <code>secret</code> element has two
      optional attributes, each with values '<code>yes</code>' and
      '<code>no</code>', and defaulting to '<code>no</code>':
    </p>
    <dl>
      <dt><code>ephemeral</code></dt>
      <dd>This secret must only be kept in memory, never stored persistently.
      </dd>
      <dt><code>private</code></dt>
      <dd>The value of the secret must not be revealed to any caller of libvirt,
        nor to any other node.
      </dd>
    </dl>
    <p>
      The top-level <code>secret</code> element may contain the following
      elements:
    </p>
    <dl>
      <dt><code>uuid</code></dt>
      <dd>
        An unique identifier for this secret (not necessarily in the UUID
        format).  If omitted when defining a new secret, a random UUID is
        generated.
      </dd>
      <dt><code>description</code></dt>
      <dd>A human-readable description of the purpose of the secret.
      </dd>
      <dt><code>usage</code></dt>
      <dd>
        Specifies what this secret is used for.  A mandatory
        <code>type</code> attribute specifies the usage category, currently
        only <code>volume</code>, <code>ceph</code>, and <code>iscsi</code>
        are defined. Specific usage categories are described below.
      </dd>
    </dl>

    <h3><a name="VolumeUsageType">Usage type "volume"</a></h3>

    <p>
      This secret is associated with a volume, whether the format is either
      for a "qcow" or a "luks" encrypted volume. Each volume will have a
      unique secret associated with it and it is safe to delete the
      secret after the volume is deleted. The
      <code>&lt;usage type='volume'&gt;</code> element must contain a
      single <code>volume</code> element that specifies the path of the volume
      this secret is associated with. For example, create a volume-secret.xml
      file as follows:
    </p>

    <pre>
      &lt;secret ephemeral='no' private='yes'&gt;
         &lt;description&gt;Super secret name of my first puppy&lt;/description&gt;
         &lt;uuid&gt;0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f&lt;/uuid&gt;
         &lt;usage type='volume'&gt;
            &lt;volume&gt;/var/lib/libvirt/images/puppyname.img&lt;/volume&gt;
         &lt;/usage&gt;
      &lt;/secret&gt;
    </pre>

    <p>
      Define the secret and set the passphrase as follows:
    </p>
    <pre>
      # virsh secret-define volume-secret.xml
      Secret 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f created
      #
      # MYSECRET=`printf %s "open sesame" | base64`
      # virsh secret-set-value 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f $MYSECRET
      Secret value set
      #
    </pre>

    <p>
      The volume type secret can be supplied in domain XML for a qcow storage
      volume <a href="formatstorageencryption.html">encryption</a> as follows:
    </p>
    <pre>
      &lt;encryption format='qcow'&gt;
        &lt;secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/&gt;
      &lt;/encryption&gt;
    </pre>

    <p>
      The volume type secret can be supplied either in volume XML during
      creation of a <a href="formatstorage.html#StorageVol">storage volume</a>
      in order to provide the passphrase to encrypt the volume or in
      domain XML <a href="formatdomain.html#elementsDisks">disk device</a>
      in order to provide the passphrase to decrypt the volume,
      <span class="since">since 2.1.0</span>. An example follows:
    </p>
    <pre>
      # cat luks-secret.xml
      &lt;secret ephemeral='no' private='yes'&gt;
         &lt;description&gt;LUKS Sample Secret&lt;/description&gt;
         &lt;uuid&gt;f52a81b2-424e-490c-823d-6bd4235bc57&lt;/uuid&gt;
         &lt;usage type='volume'&gt;
            &lt;volume&gt;/var/lib/libvirt/images/luks-sample.img&lt;/volume&gt;
         &lt;/usage&gt;
      &lt;/secret&gt;

      # virsh secret-define luks-secret.xml
      Secret f52a81b2-424e-490c-823d-6bd4235bc57 created
      #
      # MYSECRET=`printf %s "letmein" | base64`
      # virsh secret-set-value f52a81b2-424e-490c-823d-6bd4235bc57 $MYSECRET
      Secret value set
      #
    </pre>

    <h3><a name="CephUsageType">Usage type "ceph"</a></h3>
    <p>
      This secret is associated with a Ceph RBD (rados block device).
      The <code>&lt;usage type='ceph'&gt;</code> element must contain
      a single <code>name</code> element that specifies a usage name
      for the secret.  The Ceph secret can then be used by UUID or by
      this usage name via the <code>&lt;auth&gt;</code> element of
      a <a href="formatdomain.html#elementsDisks">disk device</a> or
      a <a href="formatstorage.html">storage pool (rbd)</a>.
      <span class="since">Since 0.9.7</span>. The following is an example
      of the steps to be taken.  First create a ceph-secret.xml file:
    </p>

    <pre>
      &lt;secret ephemeral='no' private='yes'&gt;
         &lt;description&gt;CEPH passphrase example&lt;/description&gt;
         &lt;usage type='ceph'&gt;
            &lt;name&gt;ceph_example&lt;/name&gt;
         &lt;/usage&gt;
      &lt;/secret&gt;
    </pre>

    <p>
      Next, use <code>virsh secret-define ceph-secret.xml</code> to define
      the secret and <code>virsh secret-set-value</code> using the generated
      UUID value and a base64 generated secret value in order to define the
      chosen secret pass phrase.
    </p>
    <pre>
      # virsh secret-define ceph-secret.xml
      Secret 1b40a534-8301-45d5-b1aa-11894ebb1735 created
      #
      # virsh secret-list
       UUID                                 Usage
      -----------------------------------------------------------
       1b40a534-8301-45d5-b1aa-11894ebb1735 cephx ceph_example
      #
      # CEPHPHRASE=`printf %s "pass phrase" | base64`
      # virsh secret-set-value 1b40a534-8301-45d5-b1aa-11894ebb1735 $CEPHPHRASE
      Secret value set

      #
    </pre>

    <p>
      The ceph secret can then be used by UUID or by the
      usage name via the <code>&lt;auth&gt;</code> element in a domain's
      <a href="formatdomain.html#elementsDisks"><code>&lt;disk&gt;</code></a>
      element as follows:
    </p>
    <pre>
      &lt;auth username='myname'&gt;
        &lt;secret type='ceph' usage='ceph_example'/&gt;
      &lt;/auth&gt;
    </pre>

    <p>
      As well as the <code>&lt;auth&gt;</code> element in a
      <a href="formatstorage.html">storage pool (rbd)</a>
      <code>&lt;source&gt;</code> element as follows:
    </p>
    <pre>
      &lt;auth type='ceph' username='myname'&gt;
        &lt;secret usage='ceph_example'/&gt;
      &lt;/auth&gt;
    </pre>

    <h3><a name="iSCSIUsageType">Usage type "iscsi"</a></h3>

    <p>
      This secret is associated with an iSCSI target for CHAP authentication.
      The <code>&lt;usage type='iscsi'&gt;</code> element must contain
      a single <code>target</code> element that specifies a usage name
      for the secret. The iSCSI secret can then be used by UUID or by
      this usage name via the <code>&lt;auth&gt;</code> element of
      a <a href="formatdomain.html#elementsDisks">disk device</a> or
      a <a href="formatstorage.html">storage pool (iscsi)</a>.
      <span class="since">Since 1.0.4</span>. The following is an example
      of the XML that may be used to generate a secret for iSCSI CHAP
      authentication. Assume the following sample entry in an iSCSI
      authentication file:
    </p>
      <pre>
      &lt;target iqn.2013-07.com.example:iscsi-pool&gt;
      backing-store /home/tgtd/iscsi-pool/disk1
      backing-store /home/tgtd/iscsi-pool/disk2
      incominguser myname mysecret
      &lt;/target&gt;
      </pre>
    <p>
      Define an iscsi-secret.xml file to describe the secret. Use the
      <code>incominguser</code> username used in your iSCSI authentication
      configuration file as the value for the <code>username</code> attribute.
      The <code>description</code> attribute should contain configuration
      specific data. The <code>target</code> name may be any name of your
      choosing to be used as the <code>usage</code> when used in the pool
      or disk XML description.
    </p>
    <pre>
      &lt;secret ephemeral='no' private='yes'&gt;
         &lt;description&gt;Passphrase for the iSCSI example.com server&lt;/description&gt;
         &lt;usage type='iscsi'&gt;
            &lt;target&gt;libvirtiscsi&lt;/target&gt;
         &lt;/usage&gt;
      &lt;/secret&gt;
    </pre>

    <p>
      Next, use <code>virsh secret-define iscsi-secret.xml</code> to define
      the secret and <code>virsh secret-set-value</code> using the generated
      UUID value and a base64 generated secret value in order to define the
      chosen secret pass phrase.  The pass phrase must match the password
      used in the iSCSI authentication configuration file.
    </p>
    <pre>
      # virsh secret-define secret.xml
      Secret c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 created

      # virsh secret-list
       UUID                                 Usage
      -----------------------------------------------------------
       c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 iscsi libvirtiscsi

      # MYSECRET=`printf %s "mysecret" | base64`
      # virsh secret-set-value c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 $MYSECRET
      Secret value set
      #
    </pre>

    <p>
      The iSCSI secret can then be used by UUID or by the
      usage name via the <code>&lt;auth&gt;</code> element in a domain's
      <a href="formatdomain.html#elementsDisks"><code>&lt;disk&gt;</code></a>
      element as follows:
    </p>
    <pre>
      &lt;auth username='myname'&gt;
        &lt;secret type='iscsi' usage='libvirtiscsi'/&gt;
      &lt;/auth&gt;
    </pre>

    <p>
      As well as the <code>&lt;auth&gt;</code> element in a
      <a href="formatstorage.html">storage pool (iscsi)</a>
      <code>&lt;source&gt;</code> element as follows:
    </p>
    <pre>
      &lt;auth type='chap' username='myname'&gt;
        &lt;secret usage='libvirtiscsi'/&gt;
      &lt;/auth&gt;
    </pre>

  </body>
</html>