Creating and retrieving retrievable secrets
You can submit retrievable secrets to the ultravisor, and retrieve them on the guest for which they where intended.
Before you begin
About this task
Retrievable secrets are defined by a 32-byte ID and have a type. The type can be plaintext or a protected key type.
You set the secret type through a flag, for example: pvsecret [..] retrievable -aes
<key>. The size or curve is determined automatically by the command.
Unsupported sizes and curves are rejected.
- AES 128, 192, and 256
- AES XTS 128 and 256
- HMAC SHA256 and SHA512
- EC secp256k1, secp384r1, secp521r1, ed25519, and ed448
To retrieve a secret, you use pvsecret retrieve
<secret>.yaml. The yaml file is the one generated during pvsecret
create. If a secret is not retrievable, that is, if it is an association secret, or the secret was
not added before, the command issues an error message.
The example, illustrated in Figure 1, creates a retrievable secret with a name of MyRetrSecret.
Procedure
Example
