1*491024a5SDaniel P. Berrangé.. _secret data: 2*491024a5SDaniel P. Berrangé 3*491024a5SDaniel P. BerrangéProviding secret data to QEMU 4*491024a5SDaniel P. Berrangé----------------------------- 5*491024a5SDaniel P. Berrangé 6*491024a5SDaniel P. BerrangéThere are a variety of objects in QEMU which require secret data to be provided 7*491024a5SDaniel P. Berrangéby the administrator or management application. For example, network block 8*491024a5SDaniel P. Berrangédevices often require a password, LUKS block devices require a passphrase to 9*491024a5SDaniel P. Berrangéunlock key material, remote desktop services require an access password. 10*491024a5SDaniel P. BerrangéQEMU has a general purpose mechanism for providing secret data to QEMU in a 11*491024a5SDaniel P. Berrangésecure manner, using the ``secret`` object type. 12*491024a5SDaniel P. Berrangé 13*491024a5SDaniel P. BerrangéAt startup this can be done using the ``-object secret,...`` command line 14*491024a5SDaniel P. Berrangéargument. At runtime this can be done using the ``object_add`` QMP / HMP 15*491024a5SDaniel P. Berrangémonitor commands. The examples that follow will illustrate use of ``-object`` 16*491024a5SDaniel P. Berrangécommand lines, but they all apply equivalentely in QMP / HMP. When creating 17*491024a5SDaniel P. Berrangéa ``secret`` object it must be given a unique ID string. This ID is then 18*491024a5SDaniel P. Berrangéused to identify the object when configuring the thing which need the data. 19*491024a5SDaniel P. Berrangé 20*491024a5SDaniel P. Berrangé 21*491024a5SDaniel P. BerrangéINSECURE: Passing secrets as clear text inline 22*491024a5SDaniel P. Berrangé~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 23*491024a5SDaniel P. Berrangé 24*491024a5SDaniel P. Berrangé**The following should never be done in a production environment or on a 25*491024a5SDaniel P. Berrangémulti-user host. Command line arguments are usually visible in the process 26*491024a5SDaniel P. Berrangélistings and are often collected in log files by system monitoring agents 27*491024a5SDaniel P. Berrangéor bug reporting tools. QMP/HMP commands and their arguments are also often 28*491024a5SDaniel P. Berrangélogged and attached to bug reports. This all risks compromising secrets that 29*491024a5SDaniel P. Berrangéare passed inline.** 30*491024a5SDaniel P. Berrangé 31*491024a5SDaniel P. BerrangéFor the convenience of people debugging / developing with QEMU, it is possible 32*491024a5SDaniel P. Berrangéto pass secret data inline on the command line. 33*491024a5SDaniel P. Berrangé 34*491024a5SDaniel P. Berrangé:: 35*491024a5SDaniel P. Berrangé 36*491024a5SDaniel P. Berrangé -object secret,id=secvnc0,data=87539319 37*491024a5SDaniel P. Berrangé 38*491024a5SDaniel P. Berrangé 39*491024a5SDaniel P. BerrangéAgain it is possible to provide the data in base64 encoded format, which is 40*491024a5SDaniel P. Berrangéparticularly useful if the data contains binary characters that would clash 41*491024a5SDaniel P. Berrangéwith argument parsing. 42*491024a5SDaniel P. Berrangé 43*491024a5SDaniel P. Berrangé:: 44*491024a5SDaniel P. Berrangé 45*491024a5SDaniel P. Berrangé -object secret,id=secvnc0,data=ODc1MzkzMTk=,format=base64 46*491024a5SDaniel P. Berrangé 47*491024a5SDaniel P. Berrangé 48*491024a5SDaniel P. Berrangé**Note: base64 encoding does not provide any security benefit.** 49*491024a5SDaniel P. Berrangé 50*491024a5SDaniel P. BerrangéPassing secrets as clear text via a file 51*491024a5SDaniel P. Berrangé~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 52*491024a5SDaniel P. Berrangé 53*491024a5SDaniel P. BerrangéThe simplest approach to providing data securely is to use a file to store 54*491024a5SDaniel P. Berrangéthe secret: 55*491024a5SDaniel P. Berrangé 56*491024a5SDaniel P. Berrangé:: 57*491024a5SDaniel P. Berrangé 58*491024a5SDaniel P. Berrangé -object secret,id=secvnc0,file=vnc-password.txt 59*491024a5SDaniel P. Berrangé 60*491024a5SDaniel P. Berrangé 61*491024a5SDaniel P. BerrangéIn this example the file ``vnc-password.txt`` contains the plain text secret 62*491024a5SDaniel P. Berrangédata. It is important to note that the contents of the file are treated as an 63*491024a5SDaniel P. Berrangéopaque blob. The entire raw file contents is used as the value, thus it is 64*491024a5SDaniel P. Berrangéimportant not to mistakenly add any trailing newline character in the file if 65*491024a5SDaniel P. Berrangéthis newline is not intended to be part of the secret data. 66*491024a5SDaniel P. Berrangé 67*491024a5SDaniel P. BerrangéIn some cases it might be more convenient to pass the secret data in base64 68*491024a5SDaniel P. Berrangéformat and have QEMU decode to get the raw bytes before use: 69*491024a5SDaniel P. Berrangé 70*491024a5SDaniel P. Berrangé:: 71*491024a5SDaniel P. Berrangé 72*491024a5SDaniel P. Berrangé -object secret,id=sec0,file=vnc-password.txt,format=base64 73*491024a5SDaniel P. Berrangé 74*491024a5SDaniel P. Berrangé 75*491024a5SDaniel P. BerrangéThe file should generally be given mode ``0600`` or ``0400`` permissions, and 76*491024a5SDaniel P. Berrangéhave its user/group ownership set to the same account that the QEMU process 77*491024a5SDaniel P. Berrangéwill be launched under. If using mandatory access control such as SELinux, then 78*491024a5SDaniel P. Berrangéthe file should be labelled to only grant access to the specific QEMU process 79*491024a5SDaniel P. Berrangéthat needs access. This will prevent other processes/users from compromising the 80*491024a5SDaniel P. Berrangésecret data. 81*491024a5SDaniel P. Berrangé 82*491024a5SDaniel P. Berrangé 83*491024a5SDaniel P. BerrangéPassing secrets as cipher text inline 84*491024a5SDaniel P. Berrangé~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 85*491024a5SDaniel P. Berrangé 86*491024a5SDaniel P. BerrangéTo address the insecurity of passing secrets inline as clear text, it is 87*491024a5SDaniel P. Berrangépossible to configure a second secret as an AES key to use for decrypting 88*491024a5SDaniel P. Berrangéthe data. 89*491024a5SDaniel P. Berrangé 90*491024a5SDaniel P. BerrangéThe secret used as the AES key must always be configured using the file based 91*491024a5SDaniel P. Berrangéstorage mechanism: 92*491024a5SDaniel P. Berrangé 93*491024a5SDaniel P. Berrangé:: 94*491024a5SDaniel P. Berrangé 95*491024a5SDaniel P. Berrangé -object secret,id=secmaster,file=masterkey.data,format=base64 96*491024a5SDaniel P. Berrangé 97*491024a5SDaniel P. Berrangé 98*491024a5SDaniel P. BerrangéIn this case the ``masterkey.data`` file would be initialized with 32 99*491024a5SDaniel P. Berrangécryptographically secure random bytes, which are then base64 encoded. 100*491024a5SDaniel P. BerrangéThe contents of this file will by used as an AES-256 key to encrypt the 101*491024a5SDaniel P. Berrangéreal secret that can now be safely passed to QEMU inline as cipher text 102*491024a5SDaniel P. Berrangé 103*491024a5SDaniel P. Berrangé:: 104*491024a5SDaniel P. Berrangé 105*491024a5SDaniel P. Berrangé -object secret,id=secvnc0,keyid=secmaster,data=BASE64-CIPHERTEXT,iv=BASE64-IV,format=base64 106*491024a5SDaniel P. Berrangé 107*491024a5SDaniel P. Berrangé 108*491024a5SDaniel P. BerrangéIn this example ``BASE64-CIPHERTEXT`` is the result of AES-256-CBC encrypting 109*491024a5SDaniel P. Berrangéthe secret with ``masterkey.data`` and then base64 encoding the ciphertext. 110*491024a5SDaniel P. BerrangéThe ``BASE64-IV`` data is 16 random bytes which have been base64 encrypted. 111*491024a5SDaniel P. BerrangéThese bytes are used as the initialization vector for the AES-256-CBC value. 112*491024a5SDaniel P. Berrangé 113*491024a5SDaniel P. BerrangéA single master key can be used to encrypt all subsequent secrets, **but it is 114*491024a5SDaniel P. Berrangécritical that a different initialization vector is used for every secret**. 115*491024a5SDaniel P. Berrangé 116*491024a5SDaniel P. BerrangéPassing secrets via the Linux keyring 117*491024a5SDaniel P. Berrangé~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 118*491024a5SDaniel P. Berrangé 119*491024a5SDaniel P. BerrangéThe earlier mechanisms described are platform agnostic. If using QEMU on a Linux 120*491024a5SDaniel P. Berrangéhost, it is further possible to pass secrets to QEMU using the Linux keyring: 121*491024a5SDaniel P. Berrangé 122*491024a5SDaniel P. Berrangé:: 123*491024a5SDaniel P. Berrangé 124*491024a5SDaniel P. Berrangé -object secret_keyring,id=secvnc0,serial=1729 125*491024a5SDaniel P. Berrangé 126*491024a5SDaniel P. Berrangé 127*491024a5SDaniel P. BerrangéThis instructs QEMU to load data from the Linux keyring secret identified by 128*491024a5SDaniel P. Berrangéthe serial number ``1729``. It is possible to combine use of the keyring with 129*491024a5SDaniel P. Berrangéother features mentioned earlier such as base64 encoding: 130*491024a5SDaniel P. Berrangé 131*491024a5SDaniel P. Berrangé:: 132*491024a5SDaniel P. Berrangé 133*491024a5SDaniel P. Berrangé -object secret_keyring,id=secvnc0,serial=1729,format=base64 134*491024a5SDaniel P. Berrangé 135*491024a5SDaniel P. Berrangé 136*491024a5SDaniel P. Berrangéand also encryption with a master key: 137*491024a5SDaniel P. Berrangé 138*491024a5SDaniel P. Berrangé:: 139*491024a5SDaniel P. Berrangé 140*491024a5SDaniel P. Berrangé -object secret_keyring,id=secvnc0,keyid=secmaster,serial=1729,iv=BASE64-IV 141*491024a5SDaniel P. Berrangé 142*491024a5SDaniel P. Berrangé 143*491024a5SDaniel P. BerrangéBest practice 144*491024a5SDaniel P. Berrangé~~~~~~~~~~~~~ 145*491024a5SDaniel P. Berrangé 146*491024a5SDaniel P. BerrangéIt is recommended for production deployments to use a master key secret, and 147*491024a5SDaniel P. Berrangéthen pass all subsequent inline secrets encrypted with the master key. 148*491024a5SDaniel P. Berrangé 149*491024a5SDaniel P. BerrangéEach QEMU instance must have a distinct master key, and that must be generated 150*491024a5SDaniel P. Berrangéfrom a cryptographically secure random data source. The master key should be 151*491024a5SDaniel P. Berrangédeleted immediately upon QEMU shutdown. If passing the master key as a file, 152*491024a5SDaniel P. Berrangéthe key file must have access control rules applied that restrict access to 153*491024a5SDaniel P. Berrangéjust the one QEMU process that is intended to use it. Alternatively the Linux 154*491024a5SDaniel P. Berrangékeyring can be used to pass the master key to QEMU. 155*491024a5SDaniel P. Berrangé 156*491024a5SDaniel P. BerrangéThe secrets for individual QEMU device backends must all then be encrypted 157*491024a5SDaniel P. Berrangéwith this master key. 158*491024a5SDaniel P. Berrangé 159*491024a5SDaniel P. BerrangéThis procedure helps ensure that the individual secrets for QEMU backends will 160*491024a5SDaniel P. Berrangénot be compromised, even if ``-object`` CLI args or ``object_add`` monitor 161*491024a5SDaniel P. Berrangécommands are collected in log files and attached to public bug support tickets. 162*491024a5SDaniel P. BerrangéThe only item that needs strongly protecting is the master key file. 163