docs: document $PASSWORD in ENVIRONMENT.md

Fixes: #20955
2025-01-08 21:17:47 +03:00 · 2021-10-28 10:51:12 +02:00 · 2021-10-28 10:51:12 +02:00 · c04358ce84
commit c04358ce84
parent 7ea5e82f6a
1 changed files with 15 additions and 0 deletions
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@ -386,3 +386,18 @@ disk images with `--image=` or similar:
  whether to use the libcryptsetup "token" plugin module logic even when
  activating via FIDO2, PKCS#11, TPM2, i.e. mechanisms natively supported by
  `systemd-cryptsetup`. Defaults to enabled.
+
+Various tools that read passwords from the TTY, such as `systemd-cryptenroll`
+and `homectl`:
+
+* `$PASSWORD` — takes a string: the literal password to use. If this
+  environment variable is set it is used as password instead of prompting the
+  user interactively. This exists primarily for debugging and testing
+  purposes. Do not use this for production code paths, since environment
+  variables are typically inherited down the process tree without restrictions
+  and should thus not be used for secrets.
+
+* `$NEWPASSWORD` — similar to `$PASSWORD` above, but is used when both a
+  current and a future password are required, for example if the password is to
+  be changed. In that case `$PASSWORD` shall carry the current (i.e. old)
+  password and `$NEWPASSWORD` the new.