doc: Hints on encrypting client key

Signed-off-by: Joseph Price <joe@pricey.uk>
lxc · Feb 6, 2024 · 61fe4f5 · 61fe4f5
1 parent e224ed9
commit 61fe4f5
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/doc/authentication.md b/doc/authentication.md
@@ -109,6 +109,34 @@ If the server certificate is valid and signed by the CA, then the connection con
 
 Note that the generated certificates are not automatically trusted. You must still add them to the server in one of the ways described in {ref}`authentication-trusted-clients`.
 
+### Encrypting local keys
+
+The `incus` client also supports encrypted client keys. Keys generated via the methods above can be encrypted with a password by one of the following, depend on your cipher:
+
+```
+openssl ec -aes256 -in .config/incus/client.key -out .config/incus/client.key
+```
+
+or
+
+```
+openssl rsa -aes256 -in .config/incus/client.key -out .config/incus/client.key
+```
+
+```{note}
+Unless you enable [keepalive mode](https://linuxcontainers.org/incus/news/#keep-alive-support-in-cli-client), then every single call to incus will cause the prompt which may get a bit annoying:
+
+    $ incus list remote-host:
+    Password for client.crt:
+    +------+-------+------+------+------+-----------+
+    | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+    +------+-------+------+------+------+-----------+
+```
+
+```{note}
+While the `incus` command line supports encrypted keys, tools such as [ansible's connection plugin](https://docs.ansible.com/ansible/latest/collections/community/general/incus_connection.html) do not.
+```
+
 (authentication-openid)=
 ## OpenID Connect authentication