type attribute specifies the usage category, currently
only volume, ceph, iscsi,
- and tls are defined. Specific usage categories
- are described below.
+ tls, and vtpm are defined. Specific usage
+ categories are described below.
@@ -322,6 +322,63 @@ Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created
# MYSECRET=`printf %s "letmein" | base64` # virsh secret-set-value 718c71bd-67b5-4a2b-87ec-a24e8ca200dc $MYSECRET +Secret value set + ++ +
+ This secret is associated with a virtualized TPM (vTPM) and serves
+ as a passphrase for deriving a key from for encrypting the state
+ of the vTPM.
+ The <usage type='vtpm'> element must contain
+ a single name element that specifies a usage name
+ for the secret. The vTPM secret can then be used by UUID or by
+ this usage name via the <encryption> element of
+ a tpm when using an
+ emulator.
+ Since 5.6.0. The following is an example
+ of the steps to be taken. First create a vtpm-secret.xml file:
+# cat vtpm-secret.xml +<secret ephemeral='no' private='yes'> + <description>sample vTPM secret</description> + <usage type='vtpm'> + <name>VTPM_example</name> + </usage> +</secret> + +# virsh secret-define vtpm-secret.xml +Secret 6dd3e4a5-1d76-44ce-961f-f119f5aad935 created + +# virsh secret-list + UUID Usage +---------------------------------------------------------------------------------------- + 6dd3e4a5-1d76-44ce-961f-f119f5aad935 vtpm VTPM_example + +# + ++ +
+ A secret may also be defined via the
+
+ virSecretDefineXML API.
+
+ Once the secret is defined, a secret value will need to be set. The
+ secret would be the passphrase used to decrypt the vTPM state.
+ The following is a simple example of using
+ virsh secret-set-value to set the secret value. The
+
+ virSecretSetValue API may also be used to set
+ a more secure secret without using printable/readable characters.
+
+# MYSECRET=`printf %s "open sesame" | base64`
+# virsh secret-set-value 6dd3e4a5-1d76-44ce-961f-f119f5aad935 $MYSECRET
Secret value set