man: make clear that encrypted credentials are also authenticated

We use authenticated encryption, and that deserves mention. This in
particular relevant as the fact they are authenticated makes the
credentials useful as initrd parameterization items.

man/systemd-creds.xml

@@ -90,7 +90,7 @@
         <term><command>encrypt</command> <replaceable>input|-</replaceable> <replaceable>output|-</replaceable></term>
 
         <listitem><para>Loads the specified (unencrypted plaintext) input credential file, encrypts it and
-        writes the (encrypted ciphertext) version to the specified output credential file. The resulting file
+        writes the (encrypted ciphertext) output to the specified target credential file. The resulting file
         may be referenced in the <varname>LoadCredentialEncrypted=</varname> setting in unit files, or its
         contents used literally in <varname>SetCredentialEncrypted=</varname> settings.</para>
 
@@ -102,8 +102,8 @@
         output path is specified as <literal>-</literal> the credential name cannot be derived from the file
         system path, and thus should be specified explicitly via the <option>--name=</option> switch.</para>
 
-        <para>The credential data is encrypted symmetrically with one of the following encryption
+        <para>The credential data is encrypted and authenticated symmetrically with one of the following
-        keys:</para>
+        encryption keys:</para>
 
         <orderedlist>
           <listitem><para>A secret key automatically derived from the system's TPM2 chip. This encryption key
@@ -145,8 +145,8 @@
         <optional><replaceable>output|-</replaceable></optional></term>
 
         <listitem><para>Undoes the effect of the <command>encrypt</command> operation: loads the specified
-        (encrypted ciphertext) input credential file, decrypts it and writes the (decrypted plaintext)
+        (encrypted ciphertext) input credential file, decrypts and authenticates it and writes the (decrypted
-        version to the specified output credential file.</para>
+        plaintext) output to the specified target credential file.</para>
 
         <para>Takes one or two file system paths. The file name part of the input path is compared with the
         credential name embedded in the encrypted file. If it does not match decryption fails. This is done

man/systemd.exec.xml

@@ -3054,18 +3054,19 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
         loading from a directory, symlinks will be ignored.</para>
 
         <para>The <varname>LoadCredentialEncrypted=</varname> setting is identical to
-        <varname>LoadCredential=</varname>, except that the credential data is decrypted before being passed
+        <varname>LoadCredential=</varname>, except that the credential data is decrypted and authenticated
-        on to the executed processes. Specifically, the referenced path should refer to a file or socket with
+        before being passed on to the executed processes. Specifically, the referenced path should refer to a
-        an encrypted credential, as implemented by
+        file or socket with an encrypted credential, as implemented by
         <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>. This
-        credential is loaded, decrypted and then passed to the application in decrypted plaintext form, in
+        credential is loaded, decrypted, authenticated and then passed to the application in plaintext form,
-        the same way a regular credential specified via <varname>LoadCredential=</varname> would be. A
+        in the same way a regular credential specified via <varname>LoadCredential=</varname> would be. A
-        credential configured this way may encrypted with a secret key derived from the system's TPM2
+        credential configured this way may be symmetrically encrypted/authenticated with a secret key derived
-        security chip, or with a secret key stored in
+        from the system's TPM2 security chip, or with a secret key stored in
-        <filename>/var/lib/systemd/credentials.secret</filename>, or with both. Using encrypted credentials
+        <filename>/var/lib/systemd/credentials.secret</filename>, or with both. Using encrypted and
-        improves security as credentials are not stored in plaintext and only decrypted into plaintext the
+        authenticated credentials improves security as credentials are not stored in plaintext and only
-        moment a service requiring them is started. Moreover, credentials may be bound to the local hardware
+        authenticated and decrypted into plaintext the moment a service requiring them is started. Moreover,
-        and installations, so that they cannot easily be analyzed offline.</para>
+        credentials may be bound to the local hardware and installations, so that they cannot easily be
+        analyzed offline, or be generated externally.</para>
 
         <para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
         be directly accessible to the unit's processes: the credential data is read and copied into separate,