[thirdparty/systemd.git] / man / pam_systemd_loadkey.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="pam_systemd_loadkey" conditional='HAVE_PAM' xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>pam_systemd_loadkey</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>pam_systemd_loadkey</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>pam_systemd_loadkey</refname>
    <refpurpose>Read password from kernel keyring and set it as PAM authtok</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>pam_systemd_loadkey.so</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>pam_systemd_loadkey</command> reads a NUL-separated password list from the kernel keyring,
    and sets the last password in the list as the PAM authtok.</para>

    <para>The password list is supposed to be stored in the "user" keyring of the root user,
    by an earlier call to
    <citerefentry><refentrytitle>systemd-ask-password</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    with <option>--keyname=</option>.
    You can pass the keyname to <command>pam_systemd_loadkey</command> via the <option>keyname=</option> option.</para>

  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>The following options are understood:</para>

    <variablelist class='pam-directives'>

      <varlistentry>
        <term><varname>keyname=</varname></term>

        <listitem><para>Takes a string argument which sets the keyname to read.
        The default is <literal>cryptsetup</literal>.
        During boot,
        <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        stores a passphrase or PIN in the keyring.
        The LUKS2 volume key can also be used, via the <option>link-volume-key</option> option in
        <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>

        <table>
          <title>
            Possible values for <varname>keyname</varname>.
          </title>

          <tgroup cols='2'>
            <colspec colname='value' />
            <colspec colname='description' />
            <thead>
              <row>
                <entry>Value</entry>
                <entry>Description</entry>
              </row>
            </thead>
            <tbody>
              <row>
                <entry>cryptsetup</entry>
                <entry>Passphrase or recovery key</entry>
              </row>
              <row>
                <entry>fido2-pin</entry>
                <entry>Security token PIN</entry>
              </row>
              <row>
                <entry>luks2-pin</entry>
                <entry>LUKS2 token PIN</entry>
              </row>
              <row>
                <entry>tpm2-pin</entry>
                <entry>TPM2 PIN</entry>
              </row>
            </tbody>
          </tgroup>
        </table>

        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>debug</varname></term>

        <listitem><para>The module will log debugging information as it operates.</para>

        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <para>This module is intended to be used when you use LUKS with a passphrase, enable autologin in the display
    manager, and want to unlock Gnome Keyring / KDE KWallet automatically. So in total, you only enter one password
    during boot.</para>

    <para>You need to set the password of your Gnome Keyring/KWallet to the same as your LUKS passphrase.
    Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g. <filename>sddm-autologin</filename>):</para>

    <programlisting>
-auth       optional    pam_systemd_loadkey.so
-auth       optional    pam_gnome_keyring.so
-session    optional    pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet5.so auto_start
    </programlisting>

    <para>And add the following lines to your display manager's systemd service file, so it can access root's keyring:</para>

    <programlisting>
[Service]
KeyringMode=inherit
    </programlisting>

    <para>In this setup, early during the boot process,
    <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    will ask for the passphrase and store it in the kernel keyring with the keyname <literal>cryptsetup</literal>.
    Then when the display manager does the autologin, pam_systemd_loadkey will read the passphrase from the kernel keyring,
    set it as the PAM authtok, and then pam_gnome_keyring and pam_kwallet5 will unlock with the same passphrase.</para>
  </refsect1>

</refentry>
Commit	Line	Data
a28b7310 JL	1	<?xml version='1.0'?> <!---nxml--->
a28b7310 JL	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
eea10b26	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
a28b7310 JL	4	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
	5
	6	<refentry id="pam_systemd_loadkey" conditional='HAVE_PAM' xmlns:xi="http://www.w3.org/2001/XInclude">
	7
	8	<refentryinfo>
	9	<title>pam_systemd_loadkey</title>
	10	<productname>systemd</productname>
	11	</refentryinfo>
	12
	13	<refmeta>
	14	<refentrytitle>pam_systemd_loadkey</refentrytitle>
	15	<manvolnum>8</manvolnum>
	16	</refmeta>
	17
	18	<refnamediv>
	19	<refname>pam_systemd_loadkey</refname>
	20	<refpurpose>Read password from kernel keyring and set it as PAM authtok</refpurpose>
	21	</refnamediv>
	22
	23	<refsynopsisdiv>
	24	<para><filename>pam_systemd_loadkey.so</filename></para>
	25	</refsynopsisdiv>
	26
	27	<refsect1>
	28	<title>Description</title>
	29
	30	<para><command>pam_systemd_loadkey</command> reads a NUL-separated password list from the kernel keyring,
	31	and sets the last password in the list as the PAM authtok.</para>
	32
	33	<para>The password list is supposed to be stored in the "user" keyring of the root user,
	34	by an earlier call to
	35	<citerefentry><refentrytitle>systemd-ask-password</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	36	with <option>--keyname=</option>.
	37	You can pass the keyname to <command>pam_systemd_loadkey</command> via the <option>keyname=</option> option.</para>
	38
	39	</refsect1>
	40
	41	<refsect1>
	42	<title>Options</title>
	43
	44	<para>The following options are understood:</para>
	45
	46	<variablelist class='pam-directives'>
	47
	48	<varlistentry>
	49	<term><varname>keyname=</varname></term>
	50
	51	<listitem><para>Takes a string argument which sets the keyname to read.
08ef6998 JC	52	The default is <literal>cryptsetup</literal>.
08ef6998 JC	53	During boot,
a28b7310	54	<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
08ef6998 JC	55	stores a passphrase or PIN in the keyring.
	56	The LUKS2 volume key can also be used, via the <option>link-volume-key</option> option in
	57	<citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
	58
	59	<table>
	60	<title>
	61	Possible values for <varname>keyname</varname>.
	62	</title>
	63
	64	<tgroup cols='2'>
	65	<colspec colname='value' />
	66	<colspec colname='description' />
	67	<thead>
	68	<row>
	69	<entry>Value</entry>
	70	<entry>Description</entry>
	71	</row>
	72	</thead>
	73	<tbody>
	74	<row>
	75	<entry>cryptsetup</entry>
	76	<entry>Passphrase or recovery key</entry>
	77	</row>
	78	<row>
	79	<entry>fido2-pin</entry>
	80	<entry>Security token PIN</entry>
	81	</row>
	82	<row>
	83	<entry>luks2-pin</entry>
	84	<entry>LUKS2 token PIN</entry>
	85	</row>
	86	<row>
	87	<entry>tpm2-pin</entry>
	88	<entry>TPM2 PIN</entry>
	89	</row>
	90	</tbody>
	91	</tgroup>
	92	</table>
a28b7310 JL	93
	94	<xi:include href="version-info.xml" xpointer="v255"/></listitem>
	95	</varlistentry>
	96
	97	<varlistentry>
	98	<term><varname>debug</varname></term>
	99
	100	<listitem><para>The module will log debugging information as it operates.</para>
	101
	102	<xi:include href="version-info.xml" xpointer="v255"/></listitem>
	103	</varlistentry>
	104	</variablelist>
	105	</refsect1>
	106
	107	<refsect1>
	108	<title>Example</title>
	109
	110	<para>This module is intended to be used when you use LUKS with a passphrase, enable autologin in the display
	111	manager, and want to unlock Gnome Keyring / KDE KWallet automatically. So in total, you only enter one password
	112	during boot.</para>
	113
	114	<para>You need to set the password of your Gnome Keyring/KWallet to the same as your LUKS passphrase.
	115	Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g. <filename>sddm-autologin</filename>):</para>
	116
	117	<programlisting>
	118	-auth optional pam_systemd_loadkey.so
0bf317b6	119	-auth optional pam_gnome_keyring.so
a28b7310 JL	120	-session optional pam_gnome_keyring.so auto_start
	121	-session optional pam_kwallet5.so auto_start
	122	</programlisting>
	123
	124	<para>And add the following lines to your display manager's systemd service file, so it can access root's keyring:</para>
	125
	126	<programlisting>
	127	[Service]
	128	KeyringMode=inherit
	129	</programlisting>
	130
	131	<para>In this setup, early during the boot process,
	132	<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	133	will ask for the passphrase and store it in the kernel keyring with the keyname <literal>cryptsetup</literal>.
	134	Then when the display manager does the autologin, pam_systemd_loadkey will read the passphrase from the kernel keyring,
	135	set it as the PAM authtok, and then pam_gnome_keyring and pam_kwallet5 will unlock with the same passphrase.</para>
	136	</refsect1>
	137
	138	</refentry>