summaryrefslogtreecommitdiffstats
path: root/man/systemd-creds.xml
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--man/systemd-creds.xml72
1 files changed, 55 insertions, 17 deletions
diff --git a/man/systemd-creds.xml b/man/systemd-creds.xml
index 0c9a985..c8419d3 100644
--- a/man/systemd-creds.xml
+++ b/man/systemd-creds.xml
@@ -1,6 +1,6 @@
<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="systemd-creds"
@@ -215,6 +215,36 @@
</varlistentry>
<varlistentry>
+ <term><option>--user</option></term>
+
+ <listitem><para>When specified with the <command>encrypt</command> and <command>decrypt</command>
+ commands encrypts a user-scoped (rather than a system-scoped) credential. Use <option>--uid=</option>
+ to select which user the credential is from. Such credentials may only be decrypted from the
+ specified user's context, except if privileges can be acquired. Generally, when an encrypted
+ credential shall be used in the per-user service manager it should be encrypted with this option set,
+ when it shall be used in the system service manager it should be encrypted without.</para>
+
+ <para>Internally, this ensures that the selected user's numeric UID and username, as well as the
+ system's
+ <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> are
+ incorporated into the encryption key.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--uid=</option></term>
+
+ <listitem><para>Specifies the user to encrypt the credential for. Takes a user name or numeric
+ UID. If set, implies <option>--user</option>. If set to the special string <literal>self</literal>
+ sets the user to the user of the calling process. If <option>--user</option> is used without
+ <option>--uid=</option> then <option>--uid=self</option> is implied, i.e. the credential is encrypted
+ for the calling user.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>--transcode=</option></term>
<listitem><para>When specified with the <command>cat</command> or <command>decrypt</command>
@@ -253,7 +283,7 @@
</varlistentry>
<varlistentry>
- <term><option>--name=</option><replaceable>name</replaceable></term>
+ <term><option>--name=<replaceable>name</replaceable></option></term>
<listitem><para>When specified with the <command>encrypt</command> command controls the credential
name to embed in the encrypted credential data. If not specified the name is chosen automatically
@@ -276,7 +306,7 @@
</varlistentry>
<varlistentry>
- <term><option>--timestamp=</option><replaceable>timestamp</replaceable></term>
+ <term><option>--timestamp=<replaceable>timestamp</replaceable></option></term>
<listitem><para>When specified with the <command>encrypt</command> command controls the timestamp to
embed into the encrypted credential. Defaults to the current time. Takes a timestamp specification in
@@ -291,7 +321,7 @@
</varlistentry>
<varlistentry>
- <term><option>--not-after=</option><replaceable>timestamp</replaceable></term>
+ <term><option>--not-after=<replaceable>timestamp</replaceable></option></term>
<listitem><para>When specified with the <command>encrypt</command> command controls the time when the
credential shall not be used anymore. This embeds the specified timestamp in the encrypted
@@ -310,7 +340,7 @@
<listitem><para>When specified with the <command>encrypt</command> command controls the
encryption/signature key to use. Takes one of <literal>host</literal>, <literal>tpm2</literal>,
- <literal>host+tpm2</literal>, <literal>tpm2-absent</literal>, <literal>auto</literal>,
+ <literal>host+tpm2</literal>, <literal>null</literal>, <literal>auto</literal>,
<literal>auto-initrd</literal>. See above for details on the three key types. If set to
<literal>auto</literal> (which is the default) the TPM2 key is used if a TPM2 device is found and not
running in a container. The host key is used if <filename>/var/lib/systemd/</filename> is on
@@ -318,13 +348,13 @@
chip and the OS installation, and both need to be available to decrypt the credential again. If
<literal>auto</literal> is selected but neither TPM2 is available (or running in container) nor
<filename>/var/lib/systemd/</filename> is on persistent media, encryption will fail. If set to
- <literal>tpm2-absent</literal> a fixed zero length key is used (thus, in this mode no confidentiality
+ <literal>null</literal> a fixed zero length key is used (thus, in this mode no confidentiality
nor authenticity are provided!). This logic is useful to cover for systems that lack a TPM2 chip but
where credentials shall be generated. Note that decryption of such credentials is refused on systems
that have a TPM2 chip and where UEFI SecureBoot is enabled (this is done so that such a locked down
system cannot be tricked into loading a credential generated this way that lacks authentication
information). If set to <literal>auto-initrd</literal> a TPM2 key is used if a TPM2 is found. If not
- a fixed zero length key is used, equivalent to <literal>tpm2-absent</literal> mode. This option is
+ a fixed zero length key is used, equivalent to <literal>null</literal> mode. This option is
particularly useful to generate credentials files that are encrypted/authenticated against TPM2 where
available but still work on systems lacking support for this.</para>
@@ -342,7 +372,7 @@
</varlistentry>
<varlistentry>
- <term><option>--tpm2-device=</option><replaceable>PATH</replaceable></term>
+ <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
<listitem><para>Controls the TPM2 device to use. Expects a device node path referring to the TPM2
chip (e.g. <filename>/dev/tpmrm0</filename>). Alternatively the special value <literal>auto</literal>
@@ -354,7 +384,7 @@
</varlistentry>
<varlistentry>
- <term><option>--tpm2-pcrs=</option><arg rep="repeat">PCR</arg></term>
+ <term><option>--tpm2-pcrs=<replaceable>PCR<optional>+PCR...</optional></replaceable></option></term>
<listitem><para>Configures the TPM2 PCRs (Platform Configuration Registers) to bind the encryption
key to. Takes a <literal>+</literal> separated list of numeric PCR indexes in the range 0…23. If not
@@ -366,8 +396,8 @@
</varlistentry>
<varlistentry>
- <term><option>--tpm2-public-key=</option><arg>PATH</arg></term>
- <term><option>--tpm2-public-key-pcrs=</option><arg rep="repeat">PCR</arg></term>
+ <term><option>--tpm2-public-key=<replaceable>PATH</replaceable></option></term>
+ <term><option>--tpm2-public-key-pcrs=<replaceable>PCR<optional>+PCR...</optional></replaceable></option></term>
<listitem><para>Configures a TPM2 signed PCR policy to bind encryption to, for use with the
<command>encrypt</command> command. The <option>--tpm2-public-key=</option> option accepts a path to
@@ -389,7 +419,7 @@
</varlistentry>
<varlistentry>
- <term><option>--tpm2-signature=</option><arg>PATH</arg></term>
+ <term><option>--tpm2-signature=<replaceable>PATH</replaceable></option></term>
<listitem><para>Takes a path to a TPM2 PCR signature file as generated by the
<citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry>
@@ -404,6 +434,14 @@
</varlistentry>
<varlistentry>
+ <term><option>--allow-null</option></term>
+
+ <listitem><para>Allow decrypting credentials that use an empty key.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>--quiet</option></term>
<term><option>-q</option></term>
@@ -483,11 +521,11 @@ SetCredentialEncrypted=mysql-password: \
<refsect1>
<title>See Also</title>
- <para>
- <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry>
- </para>
+ <para><simplelist type="inline">
+ <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ </simplelist></para>
</refsect1>
</refentry>