summaryrefslogtreecommitdiffstats
path: root/upstream/opensuse-tumbleweed/man1/systemd-creds.1
diff options
context:
space:
mode:
Diffstat (limited to 'upstream/opensuse-tumbleweed/man1/systemd-creds.1')
-rw-r--r--upstream/opensuse-tumbleweed/man1/systemd-creds.140
1 files changed, 39 insertions, 1 deletions
diff --git a/upstream/opensuse-tumbleweed/man1/systemd-creds.1 b/upstream/opensuse-tumbleweed/man1/systemd-creds.1
index 3a0e4b25..db9944ec 100644
--- a/upstream/opensuse-tumbleweed/man1/systemd-creds.1
+++ b/upstream/opensuse-tumbleweed/man1/systemd-creds.1
@@ -1,5 +1,5 @@
'\" t
-.TH "SYSTEMD\-CREDS" "1" "" "systemd 254" "systemd-creds"
+.TH "SYSTEMD\-CREDS" "1" "" "systemd 255" "systemd-creds"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -60,6 +60,8 @@ Along with each credential name, the size and security state is shown\&. The lat
(in case it is backed by any other type of memory), or
"insecure"
(if having any access mode that is not 0400, i\&.e\&. if readable by anyone but the owner)\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fBcat\fR \fIcredential\&.\&.\&.\fR
@@ -71,6 +73,8 @@ When combined with
or
\fB\-\-transcode=\fR
the output is transcoded in simple ways before outputting\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fBsetup\fR
@@ -83,6 +87,8 @@ or
\fBdecrypt\fR, and is only accessible to the root user\&. Note that there\*(Aqs typically no need to invoke this command explicitly as it is implicitly called when
\fBencrypt\fR
is invoked, and credential host key encryption selected\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fBencrypt\fR \fIinput|\-\fR \fIoutput|\-\fR
@@ -154,6 +160,8 @@ Use
(see below) to undo the encryption operation, and acquire the decrypted plaintext credential from the encrypted ciphertext credential\&.
.sp
The credential data is encrypted using AES256\-GCM, i\&.e\&. providing both confidentiality and integrity, keyed by a SHA256 hash of one or both of the secret keys described above\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fBdecrypt\fR \fIinput|\-\fR [\fIoutput|\-\fR]
@@ -170,6 +178,8 @@ switch\&. If the input path is specified as
\fB\-\-name=\fR\&.
.sp
Decrypting credentials requires access to the original TPM2 chip and/or credentials host key, see above\&. Information about which keys are required is embedded in the encrypted credential data, and thus decryption is entirely automatic\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fBhas\-tpm2\fR
@@ -183,6 +193,8 @@ and exits with exit status zero\&. If no such device is discovered/supported/use
Combine with
\fB\-\-quiet\fR
to suppress the output\&.
+.sp
+Added in version 251\&.
.RE
.PP
\fB\-h\fR, \fB\-\-help\fR
@@ -203,6 +215,8 @@ When specified with the
and
\fBcat\fR
commands operates on the credentials passed to system as a whole instead of on those passed to the current execution context\&. This is useful in container environments where credentials may be passed in from the container manager\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fB\-\-transcode=\fR
@@ -222,6 +236,8 @@ as argument, in order to encode/decode the credential data with Base64 or as ser
Note that this has no effect on the
\fBencrypt\fR
command, as encrypted credentials are unconditionally encoded in Base64\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fB\-\-newline=\fR
@@ -237,6 +253,8 @@ or
"no"\&. The default mode of
"auto"
will suffix the output with a single newline character only when writing credential data to a TTY\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fB\-\-pretty\fR, \fB\-p\fR
@@ -250,6 +268,8 @@ setting that may be pasted directly into a unit file\&. Has effect only when use
and
"\-"
as the output file\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fB\-\-name=\fR\fIname\fR
@@ -265,6 +285,8 @@ command control the credential name to validate the credential name embedded in
with an empty string was used when encrypted) the specified name has no effect as no credential name validation is done\&.
.sp
Embedding the credential name in the encrypted credential is done in order to protect against reuse of credentials for purposes they weren\*(Aqt originally intended for, under the assumption the credential name is chosen carefully to encode its intended purpose\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fB\-\-timestamp=\fR\fItimestamp\fR
@@ -279,6 +301,8 @@ When specified with the
command controls the timestamp to use to validate the "not\-after" timestamp that was configured with
\fB\-\-not\-after=\fR
during encryption\&. If not specified defaults to the current system time\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fB\-\-not\-after=\fR\fItimestamp\fR
@@ -287,6 +311,8 @@ When specified with the
\fBencrypt\fR
command controls the time when the credential shall not be used anymore\&. This embeds the specified timestamp in the encrypted credential\&. During decryption the timestamp is checked against the current system clock, and if the timestamp is in the past the decryption will fail\&. By default no such timestamp is set\&. Takes a timestamp specification in the format described in
\fBsystemd.time\fR(7)\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fB\-\-with\-key=\fR, \fB\-H\fR, \fB\-T\fR
@@ -332,6 +358,8 @@ mode, to disable binding against the host secret\&.
This switch has no effect on the
\fBdecrypt\fR
command, as information on which key to use for decryption is included in the encrypted credential already\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fB\-\-tpm2\-device=\fR\fIPATH\fR
@@ -342,6 +370,8 @@ Controls the TPM2 device to use\&. Expects a device node path referring to the T
may be specified, in order to automatically determine the device node of a suitable TPM2 device (of which there must be exactly one)\&. The special value
"list"
may be used to enumerate all suitable TPM2 devices currently discovered\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fB\-\-tpm2\-pcrs=\fR [PCR...]
@@ -350,6 +380,8 @@ Configures the TPM2 PCRs (Platform Configuration Registers) to bind the encrypti
"+"
separated list of numeric PCR indexes in the range 0\&...23\&. If not used, defaults to PCR 7 only\&. If an empty string is specified, binds the encryption key to no PCRs at all\&. For details about the PCRs available, see the documentation of the switch of the same name for
\fBsystemd-cryptenroll\fR(1)\&.
+.sp
+Added in version 250\&.
.RE
.PP
\fB\-\-tpm2\-public\-key=\fR [PATH], \fB\-\-tpm2\-public\-key\-pcrs=\fR [PCR...]
@@ -374,6 +406,8 @@ Note the difference between
\fB\-\-tpm2\-pcrs=\fR
and
\fB\-\-tpm2\-public\-key\-pcrs=\fR: the former binds decryption to the current, specific PCR values; the latter binds decryption to any set of PCR values for which a signature by the specified public key can be provided\&. The latter is hence more useful in scenarios where software updates shall be possible without losing access to all previously encrypted secrets\&.
+.sp
+Added in version 252\&.
.RE
.PP
\fB\-\-tpm2\-signature=\fR [PATH]
@@ -389,6 +423,8 @@ is searched for in
/run/systemd/,
/usr/lib/systemd/
(in this order) and used\&.
+.sp
+Added in version 252\&.
.RE
.PP
\fB\-\-quiet\fR, \fB\-q\fR
@@ -396,6 +432,8 @@ is searched for in
When used with
\fBhas\-tpm2\fR
suppresses the output, and only returns an exit status indicating support for TPM2\&.
+.sp
+Added in version 251\&.
.RE
.PP
\fB\-\-no\-pager\fR
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-29 16:52:43 +0000