1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
5 <h1>Secret XML format</h1>
9 <h2><a name="SecretAttributes">Secret XML</a></h2>
12 Secrets stored by libvirt may have attributes associated with them, using
13 the <code>secret</code> element. The <code>secret</code> element has two
14 optional attributes, each with values '<code>yes</code>' and
15 '<code>no</code>', and defaulting to '<code>no</code>':
18 <dt><code>ephemeral</code></dt>
19 <dd>This secret must only be kept in memory, never stored persistently.
21 <dt><code>private</code></dt>
22 <dd>The value of the secret must not be revealed to any caller of libvirt,
23 nor to any other node.
27 The top-level <code>secret</code> element may contain the following
31 <dt><code>uuid</code></dt>
33 An unique identifier for this secret (not necessarily in the UUID
34 format). If omitted when defining a new secret, a random UUID is
37 <dt><code>description</code></dt>
38 <dd>A human-readable description of the purpose of the secret.
40 <dt><code>usage</code></dt>
42 Specifies what this secret is used for. A mandatory
43 <code>type</code> attribute specifies the usage category, currently
44 only <code>volume</code>, <code>ceph</code> and <code>iscsi</code>
45 are defined. Specific usage categories are described below.
49 <h3><a name="VolumeUsageType">Usage type "volume"</a></h3>
52 This secret is associated with a volume, and it is safe to delete the
53 secret after the volume is deleted. The <code><usage
54 type='volume'></code> element must contain a
55 single <code>volume</code> element that specifies the key of the volume
56 this secret is associated with. For example, create a volume-secret.xml
61 <secret ephemeral='no' private='yes'>
62 <description>Super secret name of my first puppy</description>
63 <uuid>0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f</uuid>
64 <usage type='volume'>
65 <volume>/var/lib/libvirt/images/puppyname.img</volume>
71 Define the secret and set the pass phrase as follows:
74 # virsh secret-define volume-secret.xml
75 Secret 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f created
77 # MYSECRET=`printf %s "open sesame" | base64`
78 # virsh secret-set-value 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f $MYSECRET
84 The volume type secret can then be used in the XML for a storage volume
85 <a href="formatstorageencryption.html">encryption</a> as follows:
88 <encryption format='qcow'>
89 <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
93 <h3><a name="CephUsageType">Usage type "ceph"</a></h3>
95 This secret is associated with a Ceph RBD (rados block device).
96 The <code><usage type='ceph'></code> element must contain
97 a single <code>name</code> element that specifies a usage name
98 for the secret. The Ceph secret can then be used by UUID or by
99 this usage name via the <code><auth></code> element of
100 a <a href="formatdomain.html#elementsDisks">disk device</a> or
101 a <a href="formatstorage.html">storage pool (rbd)</a>.
102 <span class="since">Since 0.9.7</span>. The following is an example
103 of the steps to be taken. First create a ceph-secret.xml file:
107 <secret ephemeral='no' private='yes'>
108 <description>CEPH passphrase example</description>
109 <usage type='ceph'>
110 <name>ceph_example</name>
116 Next, use <code>virsh secret-define ceph-secret.xml</code> to define
117 the secret and <code>virsh secret-set-value</code> using the generated
118 UUID value and a base64 generated secret value in order to define the
119 chosen secret pass phrase.
122 # virsh secret-define ceph-secret.xml
123 Secret 1b40a534-8301-45d5-b1aa-11894ebb1735 created
127 -----------------------------------------------------------
128 1b40a534-8301-45d5-b1aa-11894ebb1735 cephx ceph_example
130 # CEPHPHRASE=`printf %s "pass phrase" | base64`
131 # virsh secret-set-value 1b40a534-8301-45d5-b1aa-11894ebb1735 $CEPHPHRASE
138 The ceph secret can then be used by UUID or by the
139 usage name via the <code><auth></code> element in a domain's
140 <a href="formatdomain.html#elementsDisks"><code><disk></code></a>
144 <auth username='myname'>
145 <secret type='ceph' usage='ceph_example'/>
150 As well as the <code><auth></code> element in a
151 <a href="formatstorage.html">storage pool (rbd)</a>
152 <code><source></code> element as follows:
155 <auth type='ceph' username='myname'>
156 <secret usage='ceph_example'/>
160 <h3><a name="iSCSIUsageType">Usage type "iscsi"</a></h3>
163 This secret is associated with an iSCSI target for CHAP authentication.
164 The <code><usage type='iscsi'></code> element must contain
165 a single <code>target</code> element that specifies a usage name
166 for the secret. The iSCSI secret can then be used by UUID or by
167 this usage name via the <code><auth></code> element of
168 a <a href="formatdomain.html#elementsDisks">disk device</a> or
169 a <a href="formatstorage.html">storage pool (iscsi)</a>.
170 <span class="since">Since 1.0.4</span>. The following is an example
171 of the XML that may be used to generate a secret for iSCSI CHAP
172 authentication. Assume the following sample entry in an iSCSI
176 <target iqn.2013-07.com.example:iscsi-pool>
177 backing-store /home/tgtd/iscsi-pool/disk1
178 backing-store /home/tgtd/iscsi-pool/disk2
179 incominguser myname mysecret
183 Define an iscsi-secret.xml file to describe the secret. Use the
184 <code>incominguser</code> username used in your iSCSI authentication
185 configuration file as the value for the <code>username</code> attribute.
186 The <code>description</code> attribute should contain configuration
187 specific data. The <code>target</code> name may be any name of your
188 choosing to be used as the <code>usage</code> when used in the pool
189 or disk XML description.
192 <secret ephemeral='no' private='yes'>
193 <description>Passphrase for the iSCSI example.com server</description>
194 <usage type='iscsi'>
195 <target>libvirtiscsi</target>
201 Next, use <code>virsh secret-define iscsi-secret.xml</code> to define
202 the secret and <code>virsh secret-set-value</code> using the generated
203 UUID value and a base64 generated secret value in order to define the
204 chosen secret pass phrase. The pass phrase must match the password
205 used in the iSCSI authentication configuration file.
208 # virsh secret-define secret.xml
209 Secret c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 created
213 -----------------------------------------------------------
214 c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 iscsi libvirtiscsi
216 # MYSECRET=`printf %s "mysecret" | base64`
217 # virsh secret-set-value c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 $MYSECRET
223 The iSCSI secret can then be used by UUID or by the
224 usage name via the <code><auth></code> element in a domain's
225 <a href="formatdomain.html#elementsDisks"><code><disk></code></a>
229 <auth username='myname'>
230 <secret type='iscsi' usage='libvirtiscsi'/>
235 As well as the <code><auth></code> element in a
236 <a href="formatstorage.html">storage pool (iscsi)</a>
237 <code><source></code> element as follows:
240 <auth type='chap' username='myname'>
241 <secret usage='libvirtiscsi'/>