CREDENTIALS.md - OpenGrok cross reference for /systemd-251/docs/CREDENTIALS.md

Lines Matching refs:and
8 # System and Service Credentials
11 acquiring and passing credential data to systems and services. The precise
13 intended to provide systems and services with potentially security sensitive
14 cryptographic keys, certificates, passwords, identity information and similar
16 parameterizing systems and services.
20 inherited down the process tree, have size limitations, and issues with binary
21 data) or simple, unencrypted files on disk. `systemd`'s system and service
25 1. Service credentials are acquired at the moment of service activation, and
44 5. Credentials may optionally be encrypted and authenticated, either with a key
46    encryption is supposed to *just* *work*, and requires no manual setup. (That
55    environment and the EFI System Partition (via `systemd-stub`). Such system
59    with `RootImage=` or `RootDirectory=` and thus cannot read these resources
62    parameterized this way securely and robustly.
64 9. Credentials can be binary and relatively large (though currently an overall
75    in the unit file. Because unit files are world-readable (both on disk and
80    encrypted credential, and decrypt it before passing it to the service. For
100 settings (e.g. `ProtectSystem=`, `ReadOnlyPaths=` and similar) imply
144 passed this way, i.e. look for `$CREDENTIALS_DIRECTORY` and load the credential
156 tool is provided to work with system and service credentials. It may be used to
157 access and enumerate system and service credentials, or to encrypt/decrypt credentials
180 as cryptographic key material. For this kind of data (symmetric) encryption and
182 may be encrypted and authenticated with AES256-GCM. The encryption key can
185 device is available and `/var/` resides on persistent storage the default
187 credentials protected this way can only be decrypted and validated on the
188 local hardware and OS installation. Encrypted credentials stored on disk thus
189 cannot be decrypted without access to the TPM2 chip and the aforementioned key
193 The `systemd-creds` tool provides the commands `encrypt` and `decrypt` to
194 encrypt and decrypt/authenticate credentials. Example:
205 and passes it as decrypted credential `foobar` to the invoked service binary
252    `--set-credential=` and `--load-credential=` switches implement this, in
272    EFI System Partition, which are then picked up by `systemd-stub` and passed
273    to the kernel and ultimately userspace where systemd receives them. This is
274    useful to implement secure parameterization of vendor-built and signed
276    kernels, and be sure they can be accessed securely from initrd context.
304 `systemd-nspawn`, and once as VM via `qemu`. In each case the credential
325   `passwd.plaintext-password.<username>` and `passwd.shell.<username>` to
346 This boots the specified disk image as `systemd-nspawn` container, and passes
347 the root password `mysecret`and default locale `C.UTF-8` to use to it. This
348 data is then propagated by default to `systemd-sysusers.service` and
351 have an effect on *unprovisioned* systems, and will never override data already
377 a container manager or via qemu) and `/run/credentials/@encrypted/` (for
381 The `LoadCredential=` and `LoadCredentialEncrypted=` settings when configured
387 `/etc/credstore.encrypted/` and similar directories. These directories are