diff --git a/man/systemd-creds.xml b/man/systemd-creds.xml index 5f52540e84e..2650dddd7ea 100644 --- a/man/systemd-creds.xml +++ b/man/systemd-creds.xml @@ -214,6 +214,36 @@ + + + + When specified with the encrypt and decrypt + commands encrypts a user-scoped (rather than a system-scoped) credential. Use + to select which user the credential is from. Such credentials may only be decrypted from the + specified user's context, except if privileges can be acquired. Generally, when an encrypted + credential shall be used in the per-user service manager it should be encrypted with this option set, + when it shall be used in the system service manager it should be encypted without. + + Internally, this ensures that the selected user's numeric UID and username, as well as the + system's + machine-id5 are + incorporated into the encryption key. + + + + + + + + Specifies the user to encrypt the credential for. Takes a user name or numeric + UID. If set, implies . If set to the special string self + sets the user to the user of the calling process. If is used without + then is implied, i.e. the credential is encrypted + for the calling user. + + + + diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 42e6ff8fd75..ca20e6e3081 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -3396,6 +3396,12 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX systemd.resource-control5 for the details about DevicePolicy= or DeviceAllow=. + Note that encrypted credentials targeted for services of the per-user service manager must be + encrypted with systemd-creds encrypt --user, and those for the system service + manager without the switch. Encrypted credentials are always targeted to a + specific user or the system as a whole, and it is ensured that per-user service managers cannot + decrypt secrets intended for the system or for other users. + The credential files/IPC sockets must be accessible to the service manager, but don't have to be directly accessible to the unit's processes: the credential data is read and copied into separate, read-only copies for the unit that are accessible to appropriately privileged processes. This is