This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1261133 - RFE: support encryption TLS keys
RFE: support encryption TLS keys
Status: ASSIGNED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: John Ferlan
yafu
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-08 12:42 EDT by Daniel Berrange
Modified: 2017-10-11 06:31 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Berrange 2015-09-08 12:42:36 EDT
Description of problem:
Libvirt supports TLS, but currently requires that the TLS private kley .pem file is stored unencrypted. Libvirt needs to be able to load encrypted keys, with a mechanism for running a helper to decrypt them.

This blog posts gives an example of how apache deals with it, whcih would work for libvirt too

http://blog-ftweedal.rhcloud.com/2015/09/automatic-decryption-of-tls-private-keys-with-deo/

We also need to figure out how to deal with the same problem for QEMU, which also uses TLS for VNC (and soon, migration, nbd too). In this case prompting the user for keys is not really acceptable, so libvirt might have to pass across a decryption key to QEMU

Version-Release number of selected component (if applicable):
libvirt-1.2.19

Note You need to log in before you can comment on or make changes to this bug.