projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| c1017f6b LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
| 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
| 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
| 4 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> | |
| 5 | ||
| 6 | <refentry id="systemd-creds" | |
| 7 | xmlns:xi="http://www.w3.org/2001/XInclude"> | |
| 8 | ||
| 9 | <refentryinfo> | |
| 10 | <title>systemd-creds</title> | |
| 11 | <productname>systemd</productname> | |
| 12 | </refentryinfo> | |
| 13 | ||
| 14 | <refmeta> | |
| 15 | <refentrytitle>systemd-creds</refentrytitle> | |
| 16 | <manvolnum>1</manvolnum> | |
| 17 | </refmeta> | |
| 18 | ||
| 19 | <refnamediv> | |
| 20 | <refname>systemd-creds</refname> | |
| 21 | <refpurpose>Lists, shows, encrypts and decrypts service credentials</refpurpose> | |
| 22 | </refnamediv> | |
| 23 | ||
| 24 | <refsynopsisdiv> | |
| 25 | <cmdsynopsis> | |
| 26 | <command>systemd-creds</command> | |
| 27 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
| 28 | </cmdsynopsis> | |
| 29 | </refsynopsisdiv> | |
| 30 | ||
| 31 | <refsect1> | |
| 32 | <title>Description</title> | |
| 33 | ||
| 34 | <para><command>systemd-creds</command> is a tool for listing, showing, encrypting and decrypting unit | |
| 35 | credentials. Credentials are limited-size binary or textual objects that may be passed to unit | |
| 36 | processes. They are primarily used for passing cryptographic keys (both public and private) or | |
| 37 | certificates, user account information or identity information from the host to services.</para> | |
| 38 | ||
| 39 | <para>Credentials are configured in unit files via the <varname>LoadCredential=</varname>, | |
| 40 | <varname>SetCredential=</varname>, <varname>LoadCredentialEncrypted=</varname> and | |
| 41 | <varname>SetCredentialEncrypted=</varname> settings, see | |
| 42 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
| 43 | details.</para> | |
| 44 | </refsect1> | |
| 45 | ||
| 46 | <refsect1> | |
| 47 | <title>Commands</title> | |
| 48 | ||
| 49 | <para>The following commands are understood:</para> | |
| 50 | ||
| 51 | <variablelist> | |
| 52 | <varlistentry> | |
| 53 | <term><command>list</command></term> | |
| 54 | ||
| 55 | <listitem><para>Show a list of credentials passed into the current execution context. This command | |
| 56 | shows the files in the directory referenced by the <varname>$CREDENTIALS_DIRECTORY</varname> | |
| 57 | environment variable, and is intended to be executed from within service context.</para> | |
| 58 | ||
| 59 | <para>Along with each credential name, the size and security state is shown. The latter is one of | |
| 60 | <literal>secure</literal> (in case the credential is backed by unswappable memory, | |
| 61 | i.e. <literal>ramfs</literal>), <literal>weak</literal> (in case it is backed by any other type of | |
| 62 | memory), or <literal>insecure</literal> (if having any access mode that is not 0400, i.e. if readable | |
| 63 | by anyone but the owner).</para></listitem> | |
| 64 | </varlistentry> | |
| 65 | ||
| 66 | <varlistentry> | |
| 67 | <term><command>cat</command> <replaceable>credential...</replaceable></term> | |
| 68 | ||
| 69 | <listitem><para>Show contents of specified credentials passed into the current execution | |
| 70 | context. Takes one or more credential names, whose contents shall be written to standard | |
| 71 | output.</para> | |
| 72 | ||
| 73 | <para>When combined with <option>--json=</option> or <option>--transcode=</option> the output is | |
| 74 | transcoded in simple ways before outputting.</para></listitem> | |
| 75 | </varlistentry> | |
| 76 | ||
| 77 | <varlistentry> | |
| 78 | <term><command>setup</command></term> | |
| 79 | ||
| 80 | <listitem><para>Generates a host encryption key for credentials, if none has been generated | |
| 81 | before. This ensures the <filename>/var/lib/systemd/credential.secret</filename> file is initialized | |
| 82 | with a random secret key if it doesn't exist yet. This secret key is used when encrypting/decrypting | |
| 83 | credentials with <command>encrypt</command> or <command>decrypt</command>, and is only accessible to | |
| 84 | the root user. Note that there's typically no need to invoke this command explicitly as it is | |
| 85 | implicitly called when <command>encrypt</command> is invoked, and credential host key encryption | |
| 86 | selected.</para></listitem> | |
| 87 | </varlistentry> | |
| 88 | ||
| 89 | <varlistentry> | |
| 90 | <term><command>encrypt</command> <replaceable>input</replaceable> <replaceable>output</replaceable></term> | |
| 91 | ||
| 92 | <listitem><para>Loads the specified (unencrypted plaintext) input credential file, encrypts it and | |
| 93 | writes the (encrypted ciphertext) version to the specified output credential file. The resulting file | |
| 94 | may be referenced in the <varname>LoadCredentialEncrypted=</varname> setting in unit files, or its | |
| 95 | contents used literally in <varname>SetCredentialEncrypted=</varname> settings.</para> | |
| 96 | ||
| 97 | <para>Takes two file system paths. The file name part of the output path is embedded as name in the | |
| 98 | encrypted credential, to ensure encrypted credentials cannot be renamed and reused for different | |
| 99 | purposes without this being noticed. The credential name to embed may be overridden with the | |
| 100 | <option>--name=</option> setting. The input or output paths may be specified as <literal>-</literal>, | |
| 101 | in which case the credential data is read from/written to standard input and standard output. If the | |
| 102 | output path is specified as <literal>-</literal> the credential name cannot be derived from the file | |
| 103 | system path, and thus should be specified explicitly via the <option>--name=</option> switch.</para> | |
| 104 | ||
| 105 | <para>The credential data is encrypted symmetrically with one of the following encryption | |
| 106 | keys:</para> | |
| 107 | ||
| 108 | <orderedlist> | |
| 109 | <listitem><para>A secret key automatically derived from the system's TPM2 chip. This encryption key | |
| 110 | is not stored on the host system and thus decryption is only possible with access to the original | |
| 111 | TPM2 chip. Or in other words, the credential secured in this way can only be decrypted again by the | |
| 112 | local machine.</para></listitem> | |
| 113 | ||
| 114 | <listitem><para>A secret key stored in the <filename>/var/lib/systemd/credential.secret</filename> | |
| 115 | file which is only accessible to the root user. This "host" encryption key is stored on the host | |
| 116 | file system, and thus decryption is possible with access to the host file system and sufficient | |
| 117 | privileges. The key is automatically generated when needed, but can also be created explicitly with | |
| 118 | the <command>setup</command> command, see above.</para></listitem> | |
| 119 | ||
| 120 | <listitem><para>A combination of the above: an encryption key derived from both the TPM2 chip and | |
| 121 | the host file system. This means decryption requires both access to the original TPM2 chip and the | |
| 122 | OS installation. This is the default mode of operation if a TPM2 chip is available and | |
| 123 | <filename>/var/lib/systemd/</filename> resides on persistent media.</para></listitem> | |
| 124 | </orderedlist> | |
| 125 | ||
| 126 | <para>Which of the three keys shall be used for encryption may be configured with the | |
| 127 | <option>--with-key=</option> switch. Depending on the use-case for the encrypted credential the key to | |
| 128 | use may differ. For example, for credentials that shall be accessible from the initial RAM disk | |
| 129 | (initrd) of the system encryption with the host key is not appropriate since access to the host key | |
| 130 | is typically not available from the initrd. Thus, for such credentials only the TPM2 key should be | |
| 131 | used.</para> | |
| 132 | ||
| 133 | <para>Encrypted credentials are always encoded in Base64.</para> | |
| 134 | ||
| 135 | <para>Use <command>decrypt</command> (see below) to undo the encryption operation, and acquire the | |
| 136 | decrypted plaintext credential from the encrypted ciphertext credential.</para> | |
| 137 | ||
| 138 | <para>The credential data is encrypted using AES256-GCM, i.e. providing both confidentiality and | |
| 139 | integrity, keyed by a SHA256 hash of one or both of the secret keys described above.</para> | |
| 140 | </listitem> | |
| 141 | </varlistentry> | |
| 142 | ||
| 143 | <varlistentry> | |
| 144 | <term><command>decrypt</command> <replaceable>input</replaceable> | |
| 145 | <optional><replaceable>output</replaceable></optional></term> | |
| 146 | ||
| 147 | <listitem><para>Undoes the effect of the <command>encrypt</command> operation: loads the specified | |
| 148 | (encrypted ciphertext) input credential file, decrypts it and writes the (decrypted plaintext) | |
| 149 | version to the specified output credential file.</para> | |
| 150 | ||
| 151 | <para>Takes one or two file system paths. The file name part of the input path is compared with the | |
| 152 | credential name embedded in the encrypted file. If it does not match decryption fails. This is done | |
| 153 | in order to ensure that encrypted credentials are not re-purposed without this being detected. The | |
| 154 | credential name to compare with the embedded credential name may also be overridden with the | |
| 155 | <option>--name=</option> switch. If only one path is specified (or the output path specified as | |
| 156 | <literal>-</literal>) it is taken as input path and the decrypted credential is written to standard | |
| 157 | output. If the input path is specified as <literal>-</literal> the encrypted credential is read from | |
| 158 | standard input. In this mode, the expected name embedded in the credential cannot be derived from the | |
| 159 | path and should be specified explicitly with <option>--name=</option>.</para> | |
| 160 | ||
| 161 | <para>Decrypting credentials requires access to the original TPM2 chip and/or credentials host key, | |
| 162 | see above. Information about which keys are required is embedded in the encrypted credential data, | |
| 163 | and thus decryption is entirely automatic.</para></listitem> | |
| 164 | </varlistentry> | |
| 165 | ||
| 166 | <xi:include href="standard-options.xml" xpointer="help" /> | |
| 167 | <xi:include href="standard-options.xml" xpointer="version" /> | |
| 168 | </variablelist> | |
| 169 | </refsect1> | |
| 170 | ||
| 171 | <refsect1> | |
| 172 | <title>Options</title> | |
| 173 | ||
| 174 | <variablelist> | |
| 175 | ||
| 176 | <varlistentry> | |
| 177 | <term><option>--system</option></term> | |
| 178 | ||
| 179 | <listitem><para>When specified with the <command>list</command> and <command>cat</command> commands | |
| 180 | operates on the credentials passed to system as a whole instead of on those passed to the current | |
| 181 | execution context. This is useful in container environments where credentials may be passed in from | |
| 182 | the container manager.</para></listitem> | |
| 183 | </varlistentry> | |
| 184 | ||
| 185 | <varlistentry> | |
| 186 | <term><option>--transcode=</option></term> | |
| 187 | ||
| 188 | <listitem><para>When specified with the <command>cat</command> or <command>decrypt</command> | |
| 189 | commands, transcodes the output before showing it. Takes one of <literal>base64</literal>, | |
| 190 | <literal>unbase64</literal>, <literal>hex</literal> or <literal>unhex</literal> as argument, in order | |
| 191 | to encode/decode the credential data with Base64 or as series of hexadecimal values.</para> | |
| 192 | ||
| 193 | <para>Note that this has no effect on the <command>encrypt</command> command, as encrypted | |
| 194 | credentials are unconditionally encoded in Base64.</para></listitem> | |
| 195 | </varlistentry> | |
| 196 | ||
| 197 | <varlistentry> | |
| 198 | <term><option>--newline=</option></term> | |
| 199 | ||
| 200 | <listitem><para>When specified with <command>cat</command> or <command>decrypt</command> controls | |
| 201 | whether to add a trailing newline character to the end of the output if it doesn't end in one, | |
| 202 | anyway. Takes one of <literal>auto</literal>, <literal>yes</literal> or <literal>no</literal>. The | |
| 203 | default mode of <literal>auto</literal> will suffix the output with a single newline character only | |
| 204 | when writing credential data to a TTY.</para></listitem> | |
| 205 | </varlistentry> | |
| 206 | ||
| 207 | <varlistentry> | |
| 208 | <term><option>--pretty</option></term> | |
| 209 | <term><option>-p</option></term> | |
| 210 | ||
| 211 | <listitem><para>When specified with <command>encrypt</command> controls whether to show the encrypted | |
| 212 | credential as <varname>SetCredentialEncrypted=</varname> setting that may be pasted directly into a | |
| 213 | unit file.</para></listitem> | |
| 214 | </varlistentry> | |
| 215 | ||
| 216 | <varlistentry> | |
| 217 | <term><option>--name=</option><replaceable>name</replaceable></term> | |
| 218 | ||
| 219 | <listitem><para>When specified with the <command>encrypt</command> command controls the credential | |
| 220 | name to embed in the encrypted credential data. If not specified the name is chosen automatically | |
| 221 | from the filename component of the specified output path. If specified as empty string no | |
| 222 | credential name is embedded in the encrypted credential, and no verification of credential name is | |
| 223 | done when the credential is decrypted.</para> | |
| 224 | ||
| 225 | <para>When specified with the <command>decrypt</command> command control the credential name to | |
| 226 | validate the credential name embedded in the encrypted credential with. If not specified the name is | |
| 227 | chosen automatically from the filename component of the specified input path. If no credential name | |
| 228 | is embedded in the encrypted credential file (i.e. the <option>--name=</option> with an empty string | |
| 229 | was used when encrypted) the specified name has no effect as no credential name validation is | |
| 230 | done.</para> | |
| 231 | ||
| 232 | <para>Embedding the credential name in the encrypted credential is done in order to protect against | |
| 233 | reuse of credentials for purposes they weren't originally intended for, under the assumption the | |
| 234 | credential name is chosen carefully to encode its intended purpose.</para></listitem> | |
| 235 | </varlistentry> | |
| 236 | ||
| 237 | <varlistentry> | |
| 238 | <term><option>--timestamp=</option><replaceable>timestamp</replaceable></term> | |
| 239 | ||
| 240 | <listitem><para>When specified with the <command>encrypt</command> command controls the timestamp to | |
| 241 | embed into the encrypted credential. Defaults to the current time. Takes a timestamp specification in | |
| 242 | the format described in | |
| 243 | <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
| 244 | ||
| 245 | <para>When specified with the <command>decrypt</command> command controls the timestamp to use to | |
| 246 | validate the "not-after" timestamp that was configured with <option>--not-after=</option> during | |
| 247 | encryption. If not specified defaults to the current system time.</para></listitem> | |
| 248 | </varlistentry> | |
| 249 | ||
| 250 | <varlistentry> | |
| 251 | <term><option>--not-after=</option><replaceable>timestamp</replaceable></term> | |
| 252 | ||
| 253 | <listitem><para>When specified with the <command>encrypt</command> command controls the time when the | |
| 254 | credential shall not be used anymore. This embeds the specified timestamp in the encrypted | |
| 255 | credential. During decryption the timestamp is checked against the current system clock, and if the | |
| 256 | timestamp is in the past the decryption will fail. By default no such timestamp is set. Takes a | |
| 257 | timestamp specification in the format described in | |
| 258 | <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem> | |
| 259 | </varlistentry> | |
| 260 | ||
| 261 | <varlistentry> | |
| 262 | <term><option>--with-key=</option></term> | |
| 263 | <term><option>-H</option></term> | |
| 264 | <term><option>-T</option></term> | |
| 265 | ||
| 266 | <listitem><para>When specified with the <command>encrypt</command> command controls the encryption | |
| 267 | key to use. Takes one of <literal>host</literal>, <literal>tpm2</literal>, | |
| 268 | <literal>host+tpm2</literal> or <literal>auto</literal>. See above for details on the three key | |
| 269 | types. If set to <literal>auto</literal> (which is the default) the TPM2 key is used if a TPM2 device | |
| 270 | is found and not running in a container. The host key is used if | |
| 271 | <filename>/var/lib/systemd/</filename> is on persistent media. This means on typical systems the | |
| 272 | encryption is by default bound to both the TPM2 chip and the OS installation, and both need to be | |
| 273 | available to decrypt the credential again. If <literal>auto</literal> is selected but neither TPM2 is | |
| 274 | available (or running in container) nor <filename>/var/lib/systemd/</filename> is on persistent | |
| 275 | media, encryption will fail.</para> | |
| 276 | ||
| 277 | <para>The <option>-H</option> switch is a shortcut for <option>--with-key=host</option>. Similar, | |
| 278 | <option>-T</option> is a shortcut for <option>-with-key=tpm2</option>.</para> | |
| 279 | ||
| 280 | <para>When encrypting credentials that shall be used in the initial RAM disk (initrd) where | |
| 281 | <filename>/var/lib/systemd/</filename> is typically not available make sure to use | |
| 282 | <option>--with-key=tpm2</option> mode, to disable binding against the host secret.</para> | |
| 283 | ||
| 284 | <para>This switch has no effect on the <command>decrypt</command> command, as information on which | |
| 285 | key to use for decryption is included in the encrypted credential already.</para></listitem> | |
| 286 | </varlistentry> | |
| 287 | ||
| 288 | <varlistentry> | |
| 289 | <term><option>--tpm2-device=</option><replaceable>PATH</replaceable></term> | |
| 290 | ||
| 291 | <listitem><para>Controls the TPM2 device to use. Expects a device node path referring to the TPM2 | |
| 292 | chip (e.g. <filename>/dev/tpmrm0</filename>). Alternatively the special value <literal>auto</literal> | |
| 293 | may be specified, in order to automatically determine the device node of a suitable TPM2 device (of | |
| 294 | which there must be exactly one). The special value <literal>list</literal> may be used to enumerate | |
| 295 | all suitable TPM2 devices currently discovered.</para></listitem> | |
| 296 | </varlistentry> | |
| 297 | ||
| 298 | <varlistentry> | |
| 299 | <term><option>--tpm2-pcrs=</option><arg rep="repeat">PCR</arg></term> | |
| 300 | ||
| 301 | <listitem><para>Configures the TPM2 PCRs (Platform Configuration Registers) to bind the encryption | |
| 302 | key to. Takes a <literal>+</literal> separated list of numeric PCR indexes in the range 0…23. If not | |
| 303 | used, defaults to PCR 7 only. If an empty string is specified, binds the encryption key to no PCRs at | |
| 304 | all. For details about the PCRs available, see the documentation of the switch of the same name for | |
| 305 | <citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem> | |
| 306 | </varlistentry> | |
| 307 | ||
| 308 | <xi:include href="standard-options.xml" xpointer="no-pager" /> | |
| 309 | <xi:include href="standard-options.xml" xpointer="no-legend" /> | |
| 310 | <xi:include href="standard-options.xml" xpointer="json" /> | |
| 311 | </variablelist> | |
| 312 | </refsect1> | |
| 313 | ||
| 314 | <refsect1> | |
| 315 | <title>Exit status</title> | |
| 316 | ||
| 317 | <para>On success, 0 is returned.</para> | |
| 318 | </refsect1> | |
| 319 | ||
| 320 | <refsect1> | |
| 321 | <title>Examples</title> | |
| 322 | ||
| 323 | <example> | |
| 324 | <title>Encrypt a password for use as credential</title> | |
| 325 | ||
| 326 | <para>The following command line encrypts the specified password <literal>hunter2</literal>, writing the result | |
| 327 | to a file <filename>password.cred</filename>.</para> | |
| 328 | ||
| 329 | <programlisting># echo -n hunter2 | systemd-creds encrypt - password.cred</programlisting> | |
| 330 | ||
| 331 | <para>This decrypts the file <filename>password.cred</filename> again, revealing the literal password:</para> | |
| 332 | ||
| 333 | <programlisting># systemd-creds decrypt password.cred | |
| 334 | hunter2</programlisting> | |
| 335 | </example> | |
| 336 | ||
| 337 | <example> | |
| 338 | <title>Encrypt a password and include it in a unit file</title> | |
| 339 | ||
| 340 | <para>The following command line prompts the user for a password and generates a | |
| 341 | <varname>SetCredentialEncrypted=</varname> line from it for a credential named | |
| 342 | <literal>mysql-password</literal>, suitable for inclusion in a unit file.</para> | |
| 343 | ||
| 344 | <programlisting># systemd-ask-password -n | systemd-creds encrypt --name=mysql-password -p - - | |
| 345 | 🔐 Password: **** | |
| 346 | SetCredentialEncrypted=mysql-password: \ | |
| 347 | k6iUCUh0RJCQyvL8k8q1UyAAAAABAAAADAAAABAAAAASfFsBoPLIm/dlDoGAAAAAAAAAA \ | |
| 348 | NAAAAAgAAAAAH4AILIOZ3w6rTzYsBy9G7liaCAd4i+Kpvs8mAgArzwuKxd0ABDjgSeO5k \ | |
| 349 | mKQc58zM94ZffyRmuNeX1lVHE+9e2YD87KfRFNoDLS7F3YmCb347gCiSk2an9egZ7Y0Xs \ | |
| 350 | 700Kr6heqQswQEemNEc62k9RJnEl2q7SbcEYguegnPQUATgAIAAsAAAASACA/B90W7E+6 \ | |
| 351 | yAR9NgiIJvxr9bpElztwzB5lUJAxtMBHIgAQACCaSV9DradOZz4EvO/LSaRyRSq2Hj0ym \ | |
| 352 | gVJk/dVzE8Uxj8H3RbsT7rIBH02CIgm/Gv1ukSXO3DMHmVQkDG0wEciyageTfrVEer8z5 \ | |
| 353 | 9cUQfM5ynSaV2UjeUWEHuz4fwDsXGLB9eELXLztzUU9nsAyLvs3ZRR+eEK/A==</programlisting> | |
| 354 | ||
| 355 | <para>The generated line can be pasted 1:1 into a unit file, and will ensure the acquired password will | |
| 356 | be made available in the <varname>$CREDENTIALS_DIRECTORY</varname><filename>/mysql-password</filename> | |
| 357 | credential file for the started service.</para> | |
| 358 | ||
| 359 | <para>Utilizing the unit file drop-in logic this can be used to securely pass a password credential to | |
| 360 | a unit. A similar, more comprehensive set of commands to insert a password into a service | |
| 361 | <filename>xyz.service</filename>:</para> | |
| 362 | ||
| 363 | <programlisting># mkdir -p /etc/systemd/system/xyz.service.d | |
| 364 | # systemd-ask-password -n | systemd-creds encrypt --name=mysql-password -p - - > /etc/systemd/system/xyz.service.d/50-password.conf | |
| 365 | # systemctl daemon-reload | |
| 366 | # systemctl restart xyz.service</programlisting> | |
| 367 | </example> | |
| 368 | </refsect1> | |
| 369 | ||
| 370 | <refsect1> | |
| 371 | <title>See Also</title> | |
| 372 | <para> | |
| 373 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 374 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
| 375 | </para> | |
| 376 | </refsect1> | |
| 377 | ||
| 378 | </refentry> |