Encrypt .config/incus/client.key?

usrflo · March 13, 2026, 10:52am

You are right

I sum up the command syntax to document the client key encryption and its use with a proxy so as not to have to enter the key repeatedly:

1) Encrypt the existing client.key

$ mv ~/.config/incus/client.key ~/.config/incus/client.key.bak
$ openssl ec -aes256 -in ~/.config/incus/client.key.bak -out ~/.config/incus/client.key
read EC key
writing EC key
Enter pass phrase for PEM:
Verifying - Enter pass phrase for PEM:
$ chmod 600 ~/.config/incus/client.key
$ incus remote add mysrv https://1.2.3.4:8443
$ incus ls mysrv:
Password for .config/incus/client.key: 
+------+---------+------+------+-----------+-----------+
| NAME |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+------+---------+------+------+-----------+-----------+
| bar  | STOPPED |      |      | CONTAINER | 1         |
+------+---------+------+------+-----------+-----------+
| foo  | STOPPED |      |      | CONTAINER | 0         |
+------+---------+------+------+-----------+-----------+
# The encrypted key is working so remove the decrypted key
$ rm ~/.config/incus/client.key.bak

2) Use the encrypted key with a proxy so you need to authenticate once only

$ incus remote proxy mysrv ~/.config/incus/keepalive/mysrv.socket
Password for .config/incus/client.key: 
# send process to background
$ export INCUS_SOCKET=~/.config/incus/keepalive/mysrv.socket
$ incus ls
+------+---------+------+------+-----------+-----------+
| NAME |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+------+---------+------+------+-----------+-----------+
| bar  | STOPPED |      |      | CONTAINER | 1         |
+------+---------+------+------+-----------+-----------+
| foo  | STOPPED |      |      | CONTAINER | 0         |
+------+---------+------+------+-----------+-----------+