Red Hat Bugzilla – Bug 1017273
RFE: Support storage of secrets in a secure pkcs11 file or similar
Last modified: 2016-04-10 11:01:37 EDT
Description of problem:
Currently libvirt stores persistent secrets in unencrypted files in /etc/libvirt/secrets. This is not a big security problem since the virtualization host fundamentally must be a trusted component. The secrets are about protecting against rogue storage admins, and/or authenticating with network storage.
It would still, however, be desirable to have the secrets stored encrypted to at least make a dedicated forensics attacker have todo some non-trivial work to recover them, even when the HD itself is not encrypted.
We could probably leverage something like pkcs11 as a secure storage mechansim to do this. There might be good enough support in gnutls APIs to do this. TBD.
*** This bug has been marked as a duplicate of bug 636152 ***