docs/system/secrets.rst

3 Providing secret data to QEMU
6 There are a variety of objects in QEMU which require secret data to be provided
10 QEMU has a general purpose mechanism for providing secret data to QEMU in a
11 secure manner, using the ``secret`` object type.
13 At startup this can be done using the ``-object secret,...`` command line
17 a ``secret`` object it must be given a unique ID string. This ID is then
32 to pass secret data inline on the command line.
36    -object secret,id=secvnc0,data=87539319
45    -object secret,id=secvnc0,data=ODc1MzkzMTk=,format=base64
54 the secret:
58    -object secret,id=secvnc0,file=vnc-password.txt
61 In this example the file ``vnc-password.txt`` contains the plain text secret
65 this newline is not intended to be part of the secret data.
67 In some cases it might be more convenient to pass the secret data in base64
72    -object secret,id=sec0,file=vnc-password.txt,format=base64
80 secret data.
87 possible to configure a second secret as an AES key to use for decrypting
90 The secret used as the AES key must always be configured using the file based
95    -object secret,id=secmaster,file=masterkey.data,format=base64
101 real secret that can now be safely passed to QEMU inline as cipher text
105    -object secret,id=secvnc0,keyid=secmaster,data=BASE64-CIPHERTEXT,iv=BASE64-IV,format=base64
109 the secret with ``masterkey.data`` and then base64 encoding the ciphertext.
114 critical that a different initialization vector is used for every secret**.
127 This instructs QEMU to load data from the Linux keyring secret identified by
146 It is recommended for production deployments to use a master key secret, and