diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-04-21 15:36:03 +0200 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2022-04-21 23:23:14 +0200 |
| commit | d43ea6c8ff0b53453e28839f468c932726f2a8c4 (patch) | |
| tree | 9103526dbf727489e9973c2d2c4a4e952a51b8e1 /man/systemd.exec.xml | |
| parent | 92c9f47d05548c14646c257cfdc4959f0b82a9bd (diff) | |
| download | systemd-d43ea6c8ff0b53453e28839f468c932726f2a8c4.tar.gz | |
man: make clear that encrypted credentials are also authenticated
We use authenticated encryption, and that deserves mention. This in
particular relevant as the fact they are authenticated makes the
credentials useful as initrd parameterization items.
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 5bb1679aea..0042432efb 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -3054,18 +3054,19 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy loading from a directory, symlinks will be ignored.</para> <para>The <varname>LoadCredentialEncrypted=</varname> setting is identical to - <varname>LoadCredential=</varname>, except that the credential data is decrypted before being passed - on to the executed processes. Specifically, the referenced path should refer to a file or socket with - an encrypted credential, as implemented by + <varname>LoadCredential=</varname>, except that the credential data is decrypted and authenticated + before being passed on to the executed processes. Specifically, the referenced path should refer to a + file or socket with an encrypted credential, as implemented by <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>. This - credential is loaded, decrypted and then passed to the application in decrypted plaintext form, in - the same way a regular credential specified via <varname>LoadCredential=</varname> would be. A - credential configured this way may encrypted with a secret key derived from the system's TPM2 - security chip, or with a secret key stored in - <filename>/var/lib/systemd/credentials.secret</filename>, or with both. Using encrypted credentials - improves security as credentials are not stored in plaintext and only decrypted into plaintext the - moment a service requiring them is started. Moreover, credentials may be bound to the local hardware - and installations, so that they cannot easily be analyzed offline.</para> + credential is loaded, decrypted, authenticated and then passed to the application in plaintext form, + in the same way a regular credential specified via <varname>LoadCredential=</varname> would be. A + credential configured this way may be symmetrically encrypted/authenticated with a secret key derived + from the system's TPM2 security chip, or with a secret key stored in + <filename>/var/lib/systemd/credentials.secret</filename>, or with both. Using encrypted and + authenticated credentials improves security as credentials are not stored in plaintext and only + authenticated and decrypted into plaintext the moment a service requiring them is started. Moreover, + credentials may be bound to the local hardware and installations, so that they cannot easily be + analyzed offline, or be generated externally.</para> <para>The credential files/IPC sockets must be accessible to the service manager, but don't have to be directly accessible to the unit's processes: the credential data is read and copied into separate, |