diff --git a/man/systemd-creds.xml b/man/systemd-creds.xml
index 5f52540e84e..2650dddd7ea 100644
--- a/man/systemd-creds.xml
+++ b/man/systemd-creds.xml
@@ -214,6 +214,36 @@
+
+
+
+ When specified with the encrypt and decrypt
+ commands encrypts a user-scoped (rather than a system-scoped) credential. Use
+ to select which user the credential is from. Such credentials may only be decrypted from the
+ specified user's context, except if privileges can be acquired. Generally, when an encrypted
+ credential shall be used in the per-user service manager it should be encrypted with this option set,
+ when it shall be used in the system service manager it should be encypted without.
+
+ Internally, this ensures that the selected user's numeric UID and username, as well as the
+ system's
+ machine-id5 are
+ incorporated into the encryption key.
+
+
+
+
+
+
+
+ Specifies the user to encrypt the credential for. Takes a user name or numeric
+ UID. If set, implies . If set to the special string self
+ sets the user to the user of the calling process. If is used without
+ then is implied, i.e. the credential is encrypted
+ for the calling user.
+
+
+
+
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 42e6ff8fd75..ca20e6e3081 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -3396,6 +3396,12 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
systemd.resource-control5
for the details about DevicePolicy= or DeviceAllow=.
+ Note that encrypted credentials targeted for services of the per-user service manager must be
+ encrypted with systemd-creds encrypt --user, and those for the system service
+ manager without the switch. Encrypted credentials are always targeted to a
+ specific user or the system as a whole, and it is ensured that per-user service managers cannot
+ decrypt secrets intended for the system or for other users.
+
The credential files/IPC sockets must be accessible to the service manager, but don't have to
be directly accessible to the unit's processes: the credential data is read and copied into separate,
read-only copies for the unit that are accessible to appropriately privileged processes. This is