[systemd-devel] Managing systemd credentials

[Joan Torres]

Hello!

I have a few questions about how systemd credentials feature works.


  *   I can encrypt an input file using systemd-creds tool but I need privileged permissions to do that. Is there a way of doing it as a non-root user? Maybe ask from a user process to systemd through dbus?
  *   If I pass a credential to a service through SetCredentialEncrypted arg in its unit.file, systemd decrypts it and the service has access to it. I found that using SetCredential stores the credential in its corresponding $CREDENTIALS_DIRECTORY but when using SetCredentialEncrypted doesn't. How would be the proper way to access these credentials from the implementation of the service? I've only been able to read SetCredential or SetCredentialEncrypted through dbus.
  *   Is there an option to let a specific user only decrypt its specific credentials? From what I've seen, systemd uses a master key to encrypt/decrypt, is there a way of having a different master key for each user? I'm assuming that systemd doesn't consider this but maybe there is some approach.

systemctl --version
systemd 249 (249.7+suse.57.g523f32df57)
+PAM +AUDIT +SELINUX +APPARMOR -IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
OS: openSUSE Tubleweed

I don't have much experience in Linux and I'm trying to learn the best I can.
Thank you.

Joan Torres
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20211222/e9bf6867/attachment-0001.htm>