Encrypt .config/incus/client.key?

usrflo · March 11, 2026, 12:26pm

Is there a way to encrypt the trusted .config/incus/client.key with a password?
I’d like to use a mechanism like the one ssh-agent offers to prevent unrestricted access if client.key is compromised.

stgraber · March 12, 2026, 4:54pm

Yeah, we support encrypted keys in the client. You’ll need to use openssl to do the key encryption initially but after that Incus should prompt when it needs the key.

Do note that this will lead to potentially a LOT of prompts if you don’t also use the Incus keepalive mechanism in your config.

usrflo · March 13, 2026, 7:51am

Thanks @stgraber. Having the latest incus-client package installed on Debian I see the key encryption/decryption works, see below.

But the ‘keepalive’ does not cache the decrypted key, instead decryption is requested on every remote operation.

$ incus --version
6.0.5
$ mv ~/.config/incus/client.key ~/.config/incus/client.key.bak
$ openssl ec -aes256 -in ~/.config/incus/client.key.bak -out ~/.config/incus/client.key
read EC key
writing EC key
Enter pass phrase for PEM:
Verifying - Enter pass phrase for PEM:
$ chmod 600 ~/.config/incus/client.key
$ incus remote add mysrv https://1.2.3.4:8443 --keepalive=30
Password for /…/.config/incus/client.key:
Certificate fingerprint: …
ok (y/n/[fingerprint])? y
Password for /…/.config/incus/client.key:
$ incus ls mysrv:
Password for /…/.config/incus/client.key:
±-----±--------±-----±-----±----------±----------+
| NAME |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
±-----±--------±-----±-----±----------±----------+
| bar  | STOPPED |      |      | CONTAINER | 1         |
±-----±--------±-----±-----±----------±----------+
| foo  | STOPPED |      |      | CONTAINER | 0         |
±-----±--------±-----±-----±----------±----------+
$ incus ls mysrv:
Password for /…/.config/incus/client.key:
…
$ cat ~/.config/incus/config.yml
default-remote: local
remotes:
mysrv:
addr: https://1.2.3.4:8443
auth_type: tls
keepalive: 30
project: default
protocol: incus
public: false
aliases: {}
aliases: {}
defaults:
list_format: “”
console_type: “”
console_spice_command: “”

After these two ‘incus ls’ commands I see 2 proxy processes running with full CPU load.
Although a keepalive/timeout is set to 30 seconds, they are running endlessly.

$ ps -aux | grep incus
myuser 3458278  101  0.0 6704596 17368 ?       Rsl  08:53   0:20 incus remote proxy mysrv /…/.config/incus/keepalive/mysrv.socket --timeout=30
myuser 3458491  102  0.0 6705044 17964 ?       Ssl  08:54   0:11 incus remote proxy mysrv /…/.config/incus/keepalive/mysrv.socket --timeout=30
$ ls -la ~/.config/incus/keepalive/
drwx------ 2 myuser myuser 2 Mär 12 18:44 .
drwxr-x— 5 myuser myuser 9 Mär 13 08:37 ..

stgraber · March 13, 2026, 9:19am

Oh, I think I know why
I’m guessing that those proxy processes are currently prompting for your passphrase

usrflo · March 13, 2026, 10:52am

You are right

I sum up the command syntax to document the client key encryption and its use with a proxy so as not to have to enter the key repeatedly:

1) Encrypt the existing client.key

$ mv ~/.config/incus/client.key ~/.config/incus/client.key.bak
$ openssl ec -aes256 -in ~/.config/incus/client.key.bak -out ~/.config/incus/client.key
read EC key
writing EC key
Enter pass phrase for PEM:
Verifying - Enter pass phrase for PEM:
$ chmod 600 ~/.config/incus/client.key
$ incus remote add mysrv https://1.2.3.4:8443
$ incus ls mysrv:
Password for .config/incus/client.key: 
+------+---------+------+------+-----------+-----------+
| NAME |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+------+---------+------+------+-----------+-----------+
| bar  | STOPPED |      |      | CONTAINER | 1         |
+------+---------+------+------+-----------+-----------+
| foo  | STOPPED |      |      | CONTAINER | 0         |
+------+---------+------+------+-----------+-----------+
# The encrypted key is working so remove the decrypted key
$ rm ~/.config/incus/client.key.bak

2) Use the encrypted key with a proxy so you need to authenticate once only

$ incus remote proxy mysrv ~/.config/incus/keepalive/mysrv.socket
Password for .config/incus/client.key: 
# send process to background
$ export INCUS_SOCKET=~/.config/incus/keepalive/mysrv.socket
$ incus ls
+------+---------+------+------+-----------+-----------+
| NAME |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+------+---------+------+------+-----------+-----------+
| bar  | STOPPED |      |      | CONTAINER | 1         |
+------+---------+------+------+-----------+-----------+
| foo  | STOPPED |      |      | CONTAINER | 0         |
+------+---------+------+------+-----------+-----------+

stgraber · March 13, 2026, 3:36pm

Feel free to file an issue at GitHub · Where software is built and I’ll take a look at how we can handle this. We’d probably want to switch things such that the proxy can prompt for the key before going into the background instead of being directly spawned in the background and then having it get stuck there.