Adding upstream version 4.22.0.upstream/4.22.0

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 966 insertions, 0 deletions

diff --git a/templates/man1/systemd-creds.1.pot b/templates/man1/systemd-creds.1.pot
new file mode 100644
index 00000000..f98f5052
--- /dev/null
+++ b/templates/man1/systemd-creds.1.pot
@@ -0,0 +1,966 @@
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2024-03-01 17:10+0100\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "SYSTEMD-CREDS"
+msgstr ""
+
+#. type: TH
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "systemd 255"
+msgstr ""
+
+#. type: TH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "systemd-creds"
+msgstr ""
+
+#.  -----------------------------------------------------------------
+#.  * MAIN CONTENT STARTS HERE *
+#.  -----------------------------------------------------------------
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "systemd-creds - Lists, shows, encrypts and decrypts service credentials"
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "SYNOPSIS"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<systemd-creds> [OPTIONS...] COMMAND [ARGS...]"
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"B<systemd-creds> is a tool for listing, showing, encrypting and decrypting "
+"unit credentials\\&. Credentials are limited-size binary or textual objects "
+"that may be passed to unit processes\\&. They are primarily used for passing "
+"cryptographic keys (both public and private) or certificates, user account "
+"information or identity information from the host to services\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+#: opensuse-tumbleweed
+msgid ""
+"Credentials are configured in unit files via the I<ImportCredential=>, "
+"I<LoadCredential=>, I<SetCredential=>, I<LoadCredentialEncrypted=>, and "
+"I<SetCredentialEncrypted=> settings, see B<systemd.exec>(5)  for details\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"For further information see \\m[blue]B<System and Service "
+"Credentials>\\m[]\\&\\s-2\\u[1]\\d\\s+2 documentation\\&."
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "COMMANDS"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "The following commands are understood:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<list>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Show a list of credentials passed into the current execution context\\&. "
+"This command shows the files in the directory referenced by the "
+"I<$CREDENTIALS_DIRECTORY> environment variable, and is intended to be "
+"executed from within service context\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Along with each credential name, the size and security state is shown\\&. "
+"The latter is one of \"secure\" (in case the credential is backed by "
+"unswappable memory, i\\&.e\\&.  \"ramfs\"), \"weak\" (in case it is backed "
+"by any other type of memory), or \"insecure\" (if having any access mode "
+"that is not 0400, i\\&.e\\&. if readable by anyone but the owner)\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 250\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<cat> I<credential\\&.\\&.\\&.>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Show contents of specified credentials passed into the current execution "
+"context\\&. Takes one or more credential names, whose contents shall be "
+"written to standard output\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When combined with B<--json=> or B<--transcode=> the output is transcoded in "
+"simple ways before outputting\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<setup>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Generates a host encryption key for credentials, if one has not been "
+"generated already\\&. This ensures the /var/lib/systemd/credential\\&.secret "
+"file is initialized with a random secret key if it doesn\\*(Aqt exist "
+"yet\\&. This secret key is used when encrypting/decrypting credentials with "
+"B<encrypt> or B<decrypt>, and is only accessible to the root user\\&. Note "
+"that there\\*(Aqs typically no need to invoke this command explicitly as it "
+"is implicitly called when B<encrypt> is invoked, and credential host key "
+"encryption selected\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<encrypt> I<input|-> I<output|->"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Loads the specified (unencrypted plaintext) input credential file, encrypts "
+"it and writes the (encrypted ciphertext) output to the specified target "
+"credential file\\&. The resulting file may be referenced in the "
+"I<LoadCredentialEncrypted=> setting in unit files, or its contents used "
+"literally in I<SetCredentialEncrypted=> settings\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Takes two file system paths\\&. The file name part of the output path is "
+"embedded as name in the encrypted credential, to ensure encrypted "
+"credentials cannot be renamed and reused for different purposes without this "
+"being noticed\\&. The credential name to embed may be overridden with the "
+"B<--name=> setting\\&. The input or output paths may be specified as \"-\", "
+"in which case the credential data is read from/written to standard input and "
+"standard output\\&. If the output path is specified as \"-\" the credential "
+"name cannot be derived from the file system path, and thus should be "
+"specified explicitly via the B<--name=> switch\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The credential data is encrypted and authenticated symmetrically with one of "
+"the following encryption keys:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"A secret key automatically derived from the system\\*(Aqs TPM2 chip\\&. This "
+"encryption key is not stored on the host system and thus decryption is only "
+"possible with access to the original TPM2 chip\\&. Or in other words, the "
+"credential secured in this way can only be decrypted again by the local "
+"machine\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"A secret key stored in the /var/lib/systemd/credential\\&.secret file which "
+"is only accessible to the root user\\&. This \"host\" encryption key is "
+"stored on the host file system, and thus decryption is possible with access "
+"to the host file system and sufficient privileges\\&. The key is "
+"automatically generated when needed, but can also be created explicitly with "
+"the B<setup> command, see above\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"A combination of the above: an encryption key derived from both the TPM2 "
+"chip and the host file system\\&. This means decryption requires both access "
+"to the original TPM2 chip and the OS installation\\&. This is the default "
+"mode of operation if a TPM2 chip is available and /var/lib/systemd/ resides "
+"on persistent media\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Which of the three keys shall be used for encryption may be configured with "
+"the B<--with-key=> switch\\&. Depending on the use-case for the encrypted "
+"credential the key to use may differ\\&. For example, for credentials that "
+"shall be accessible from the initrd, encryption with the host key is not "
+"appropriate, since access to the host key is typically not available from "
+"the initrd\\&. Thus, for such credentials only the TPM2 key should be "
+"used\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "Encrypted credentials are always encoded in Base64\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Use B<decrypt> (see below) to undo the encryption operation, and acquire the "
+"decrypted plaintext credential from the encrypted ciphertext credential\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The credential data is encrypted using AES256-GCM, i\\&.e\\&. providing both "
+"confidentiality and integrity, keyed by a SHA256 hash of one or both of the "
+"secret keys described above\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<decrypt> I<input|-> [I<output|->]"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Undoes the effect of the B<encrypt> operation: loads the specified "
+"(encrypted ciphertext) input credential file, decrypts and authenticates it "
+"and writes the (decrypted plaintext) output to the specified target "
+"credential file\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Takes one or two file system paths\\&. The file name part of the input path "
+"is compared with the credential name embedded in the encrypted file\\&. If "
+"it does not match decryption fails\\&. This is done in order to ensure that "
+"encrypted credentials are not re-purposed without this being detected\\&. "
+"The credential name to compare with the embedded credential name may also be "
+"overridden with the B<--name=> switch\\&. If the input path is specified as "
+"\"-\", the encrypted credential is read from standard input\\&. If only one "
+"path is specified or the output path specified as \"-\", the decrypted "
+"credential is written to standard output\\&. In this mode, the expected name "
+"embedded in the credential cannot be derived from the path and should be "
+"specified explicitly with B<--name=>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Decrypting credentials requires access to the original TPM2 chip and/or "
+"credentials host key, see above\\&. Information about which keys are "
+"required is embedded in the encrypted credential data, and thus decryption "
+"is entirely automatic\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<has-tpm2>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Reports whether the system is equipped with a TPM2 device usable for "
+"protecting credentials\\&. If a TPM2 device has been discovered, is "
+"supported, and is being used by firmware, by the OS kernel drivers and by "
+"userspace (i\\&.e\\&. systemd) this prints \"yes\" and exits with exit "
+"status zero\\&. If no such device is discovered/supported/used, prints "
+"\"no\"\\&. Otherwise prints \"partial\"\\&. In either of these two cases "
+"exits with non-zero exit status\\&. It also shows four lines indicating "
+"separately whether firmware, drivers, the system and the kernel discovered/"
+"support/use TPM2\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "Combine with B<--quiet> to suppress the output\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 251\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<-h>, B<--help>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "Print a short help text and exit\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--version>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "Print a short version string and exit\\&."
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "OPTIONS"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--system>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When specified with the B<list> and B<cat> commands operates on the "
+"credentials passed to system as a whole instead of on those passed to the "
+"current execution context\\&. This is useful in container environments where "
+"credentials may be passed in from the container manager\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--transcode=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When specified with the B<cat> or B<decrypt> commands, transcodes the output "
+"before showing it\\&. Takes one of \"base64\", \"unbase64\", \"hex\" or "
+"\"unhex\" as argument, in order to encode/decode the credential data with "
+"Base64 or as series of hexadecimal values\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Note that this has no effect on the B<encrypt> command, as encrypted "
+"credentials are unconditionally encoded in Base64\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--newline=>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When specified with B<cat> or B<decrypt> controls whether to add a trailing "
+"newline character to the end of the output if it doesn\\*(Aqt end in one, "
+"anyway\\&. Takes one of \"auto\", \"yes\" or \"no\"\\&. The default mode of "
+"\"auto\" will suffix the output with a single newline character only when "
+"writing credential data to a TTY\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--pretty>, B<-p>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When specified with B<encrypt> controls whether to show the encrypted "
+"credential as I<SetCredentialEncrypted=> setting that may be pasted directly "
+"into a unit file\\&. Has effect only when used together with B<--name=> and "
+"\"-\" as the output file\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--name=>I<name>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When specified with the B<encrypt> command controls the credential name to "
+"embed in the encrypted credential data\\&. If not specified the name is "
+"chosen automatically from the filename component of the specified output "
+"path\\&. If specified as empty string no credential name is embedded in the "
+"encrypted credential, and no verification of credential name is done when "
+"the credential is decrypted\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When specified with the B<decrypt> command control the credential name to "
+"validate the credential name embedded in the encrypted credential with\\&. "
+"If not specified the name is chosen automatically from the filename "
+"component of the specified input path\\&. If no credential name is embedded "
+"in the encrypted credential file (i\\&.e\\&. the B<--name=> with an empty "
+"string was used when encrypted) the specified name has no effect as no "
+"credential name validation is done\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Embedding the credential name in the encrypted credential is done in order "
+"to protect against reuse of credentials for purposes they weren\\*(Aqt "
+"originally intended for, under the assumption the credential name is chosen "
+"carefully to encode its intended purpose\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--timestamp=>I<timestamp>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When specified with the B<encrypt> command controls the timestamp to embed "
+"into the encrypted credential\\&. Defaults to the current time\\&. Takes a "
+"timestamp specification in the format described in B<systemd.time>(7)\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When specified with the B<decrypt> command controls the timestamp to use to "
+"validate the \"not-after\" timestamp that was configured with B<--not-"
+"after=> during encryption\\&. If not specified defaults to the current "
+"system time\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--not-after=>I<timestamp>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When specified with the B<encrypt> command controls the time when the "
+"credential shall not be used anymore\\&. This embeds the specified timestamp "
+"in the encrypted credential\\&. During decryption the timestamp is checked "
+"against the current system clock, and if the timestamp is in the past the "
+"decryption will fail\\&. By default no such timestamp is set\\&. Takes a "
+"timestamp specification in the format described in B<systemd.time>(7)\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--with-key=>, B<-H>, B<-T>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When specified with the B<encrypt> command controls the encryption/signature "
+"key to use\\&. Takes one of \"host\", \"tpm2\", \"host+tpm2\", \"tpm2-"
+"absent\", \"auto\", \"auto-initrd\"\\&. See above for details on the three "
+"key types\\&. If set to \"auto\" (which is the default) the TPM2 key is used "
+"if a TPM2 device is found and not running in a container\\&. The host key is "
+"used if /var/lib/systemd/ is on persistent media\\&. This means on typical "
+"systems the encryption is by default bound to both the TPM2 chip and the OS "
+"installation, and both need to be available to decrypt the credential "
+"again\\&. If \"auto\" is selected but neither TPM2 is available (or running "
+"in container) nor /var/lib/systemd/ is on persistent media, encryption will "
+"fail\\&. If set to \"tpm2-absent\" a fixed zero length key is used (thus, in "
+"this mode no confidentiality nor authenticity are provided!)\\&. This logic "
+"is useful to cover for systems that lack a TPM2 chip but where credentials "
+"shall be generated\\&. Note that decryption of such credentials is refused "
+"on systems that have a TPM2 chip and where UEFI SecureBoot is enabled (this "
+"is done so that such a locked down system cannot be tricked into loading a "
+"credential generated this way that lacks authentication information)\\&. If "
+"set to \"auto-initrd\" a TPM2 key is used if a TPM2 is found\\&. If not a "
+"fixed zero length key is used, equivalent to \"tpm2-absent\" mode\\&. This "
+"option is particularly useful to generate credentials files that are "
+"encrypted/authenticated against TPM2 where available but still work on "
+"systems lacking support for this\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The B<-H> switch is a shortcut for B<--with-key=host>\\&. Similar, B<-T> is "
+"a shortcut for B<--with-key=tpm2>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When encrypting credentials that shall be used in the initrd (where /var/lib/"
+"systemd/ is typically not available) make sure to use B<--with-key=auto-"
+"initrd> mode, to disable binding against the host secret\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"This switch has no effect on the B<decrypt> command, as information on which "
+"key to use for decryption is included in the encrypted credential already\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--tpm2-device=>I<PATH>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Controls the TPM2 device to use\\&. Expects a device node path referring to "
+"the TPM2 chip (e\\&.g\\&.  /dev/tpmrm0)\\&. Alternatively the special value "
+"\"auto\" may be specified, in order to automatically determine the device "
+"node of a suitable TPM2 device (of which there must be exactly one)\\&. The "
+"special value \"list\" may be used to enumerate all suitable TPM2 devices "
+"currently discovered\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--tpm2-pcrs=> [PCR...]"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Configures the TPM2 PCRs (Platform Configuration Registers) to bind the "
+"encryption key to\\&. Takes a \"+\" separated list of numeric PCR indexes in "
+"the range 0\\&...23\\&. If not used, defaults to PCR 7 only\\&. If an empty "
+"string is specified, binds the encryption key to no PCRs at all\\&. For "
+"details about the PCRs available, see the documentation of the switch of the "
+"same name for B<systemd-cryptenroll>(1)\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--tpm2-public-key=> [PATH], B<--tpm2-public-key-pcrs=> [PCR...]"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Configures a TPM2 signed PCR policy to bind encryption to, for use with the "
+"B<encrypt> command\\&. The B<--tpm2-public-key=> option accepts a path to a "
+"PEM encoded RSA public key, to bind the encryption to\\&. If this is not "
+"specified explicitly, but a file tpm2-pcr-public-key\\&.pem exists in one of "
+"the directories /etc/systemd/, /run/systemd/, /usr/lib/systemd/ (searched in "
+"this order), it is automatically used\\&. The B<--tpm2-public-key-pcrs=> "
+"option takes a list of TPM2 PCR indexes to bind to (same syntax as B<--tpm2-"
+"pcrs=> described above)\\&. If not specified defaults to 11 (i\\&.e\\&. this "
+"binds the policy to any unified kernel image for which a PCR signature can "
+"be provided)\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Note the difference between B<--tpm2-pcrs=> and B<--tpm2-public-key-pcrs=>: "
+"the former binds decryption to the current, specific PCR values; the latter "
+"binds decryption to any set of PCR values for which a signature by the "
+"specified public key can be provided\\&. The latter is hence more useful in "
+"scenarios where software updates shall be possible without losing access to "
+"all previously encrypted secrets\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 252\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--tpm2-signature=> [PATH]"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Takes a path to a TPM2 PCR signature file as generated by the B<systemd-"
+"measure>(1)  tool and that may be used to allow the B<decrypt> command to "
+"decrypt credentials that are bound to specific signed PCR values\\&. If this "
+"is not specified explicitly, and a credential with a signed PCR policy is "
+"attempted to be decrypted, a suitable signature file tpm2-pcr-signature\\&."
+"json is searched for in /etc/systemd/, /run/systemd/, /usr/lib/systemd/ (in "
+"this order) and used\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--quiet>, B<-q>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"When used with B<has-tpm2> suppresses the output, and only returns an exit "
+"status indicating support for TPM2\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--no-pager>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "Do not pipe output into a pager\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--no-legend>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Do not print the legend, i\\&.e\\&. column headers and the footer with "
+"hints\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<--json=>I<MODE>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Shows output formatted as JSON\\&. Expects one of \"short\" (for the "
+"shortest possible output without any redundant whitespace or line breaks), "
+"\"pretty\" (for a pretty version of the same, with indentation and line "
+"breaks) or \"off\" (to turn off JSON output, the default)\\&."
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "EXIT STATUS"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "On success, 0 is returned\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"In case of the B<has-tpm2> command returns 0 if a TPM2 device is discovered, "
+"supported and used by firmware, driver, and userspace (i\\&.e\\&. "
+"systemd)\\&. Otherwise returns the OR combination of the value 1 (in case "
+"firmware support is missing), 2 (in case driver support is missing) and 4 "
+"(in case userspace support is missing)\\&. If no TPM2 support is available "
+"at all, value 7 is hence returned\\&."
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "EXAMPLES"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<Example\\ \\&1.\\ \\&Encrypt a password for use as credential>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The following command line encrypts the specified password \"hunter2\", "
+"writing the result to a file password\\&.cred\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "# echo -n hunter2 | systemd-creds encrypt - password\\&.cred\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"This decrypts the file password\\&.cred again, revealing the literal "
+"password:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"# systemd-creds decrypt password\\&.cred\n"
+"hunter2\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"B<Example\\ \\&2.\\ \\&Encrypt a password and include it in a unit file>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The following command line prompts the user for a password and generates a "
+"I<SetCredentialEncrypted=> line from it for a credential named \"mysql-"
+"password\", suitable for inclusion in a unit file\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"# systemd-ask-password -n | systemd-creds encrypt --name=mysql-password -p - -\n"
+"🔐 Password: ****\n"
+"SetCredentialEncrypted=mysql-password: \\e\n"
+"        k6iUCUh0RJCQyvL8k8q1UyAAAAABAAAADAAAABAAAAASfFsBoPLIm/dlDoGAAAAAAAAAA \\e\n"
+"        NAAAAAgAAAAAH4AILIOZ3w6rTzYsBy9G7liaCAd4i+Kpvs8mAgArzwuKxd0ABDjgSeO5k \\e\n"
+"        mKQc58zM94ZffyRmuNeX1lVHE+9e2YD87KfRFNoDLS7F3YmCb347gCiSk2an9egZ7Y0Xs \\e\n"
+"        700Kr6heqQswQEemNEc62k9RJnEl2q7SbcEYguegnPQUATgAIAAsAAAASACA/B90W7E+6 \\e\n"
+"        yAR9NgiIJvxr9bpElztwzB5lUJAxtMBHIgAQACCaSV9DradOZz4EvO/LSaRyRSq2Hj0ym \\e\n"
+"        gVJk/dVzE8Uxj8H3RbsT7rIBH02CIgm/Gv1ukSXO3DMHmVQkDG0wEciyageTfrVEer8z5 \\e\n"
+"        9cUQfM5ynSaV2UjeUWEHuz4fwDsXGLB9eELXLztzUU9nsAyLvs3ZRR+eEK/A==\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"The generated line can be pasted 1:1 into a unit file, and will ensure the "
+"acquired password will be made available in the I<$CREDENTIALS_DIRECTORY>/"
+"mysql-password credential file for the started service\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid ""
+"Utilizing the unit file drop-in logic this can be used to securely pass a "
+"password credential to a unit\\&. A similar, more comprehensive set of "
+"commands to insert a password into a service xyz\\&.service:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+#: opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"# mkdir -p /etc/systemd/system/xyz\\&.service\\&.d\n"
+"# systemd-ask-password -n | ( echo \"[Service]\" && systemd-creds encrypt --name=mysql-password -p - - ) E<gt>/etc/systemd/system/xyz\\&.service\\&.d/50-password\\&.conf\n"
+"# systemctl daemon-reload\n"
+"# systemctl restart xyz\\&.service\n"
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "B<systemd>(1), B<systemd.exec>(5), B<systemd-measure>(1)"
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "NOTES"
+msgstr ""
+
+#. type: IP
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid " 1."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "System and Service Credentials"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
+msgid "\\%https://systemd.io/CREDENTIALS"
+msgstr ""
+
+#. type: TH
+#: debian-bookworm opensuse-leap-15-6 opensuse-tumbleweed
+#, no-wrap
+msgid "systemd 254"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+msgid ""
+"Credentials are configured in unit files via the I<ImportCredentialE<gt>>, "
+"I<LoadCredential=>, I<SetCredential=>, I<LoadCredentialEncrypted=> and "
+"I<SetCredentialEncrypted=> settings, see B<systemd.exec>(5)  for details\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-leap-15-6
+#, no-wrap
+msgid ""
+"# mkdir -p /etc/systemd/system/xyz\\&.service\\&.d\n"
+"# systemd-ask-password -n | systemd-creds encrypt --name=mysql-password -p - - E<gt>/etc/systemd/system/xyz\\&.service\\&.d/50-password\\&.conf\n"
+"# systemctl daemon-reload\n"
+"# systemctl restart xyz\\&.service\n"
+msgstr ""