Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd-creds allow per-service custom decryption keys #32734

Open
dinetxum opened this issue May 9, 2024 · 0 comments
Open

systemd-creds allow per-service custom decryption keys #32734

dinetxum opened this issue May 9, 2024 · 0 comments
Labels
creds pid1 RFE 🎁 Request for Enhancement, i.e. a feature request

Comments

@dinetxum
Copy link

dinetxum commented May 9, 2024

Component

other

Is your feature request related to a problem? Please describe

Most of dedicated servers are delivered with unencrypted system.

Describe the solution you'd like

Allow per-service custom credentials decryption key configuration option

UseHostPrivatetKey
UseTpmPublicKey

Usage example

Generate per-service custom host decryption key

systemd-creds setup
Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.

Save to encrypted volume

cp /var/lib/systemd/credential.secret /encrypted/volume/private/key/here/credential.secret

Delete key

rm -f /var/lib/systemd/credential.secret

Generate default host decryption key

systemd-creds setup
Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.

Print service systemd configuration file

cat '/etc/systemd/system/[email protected]/credentials.conf'

[Service]
SetCredentialEncrypted=public_key_name: \...CREDENTIAL_HERE_PART_1...==
SetCredentialEncrypted=private_key_name: \...CREDENTIAL_HERE_PART_2...==

UseHostPrivatetKey=/encrypted/volume/private/key/here/credential.secret
#UseTpmPublicKey=/encrypted/volume/public.pem

Reload daemon

systemctl daemon-reload

Start service

systemctl start 'dinetxum-stage@testnet1'

Use of decrypted service credentials

Read it from related service

Describe alternatives you've considered

  • Bind mount, difficult to manage.
  • Symbolic link, does not work.
  • Full encryption, not available at all.
  • Copy & delete host key (/var/lib/systemd/credential.secret) each time, does not work with system hard reset or reboot.
  • Use tmpfs with /var/lib/systemd/ and copy from encrypted volume, difficult to manage.
  • ...

The systemd version you checked that didn't have the feature you are asking for

255
@dinetxum dinetxum added the RFE 🎁 Request for Enhancement, i.e. a feature request label May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
creds pid1 RFE 🎁 Request for Enhancement, i.e. a feature request
Milestone
No milestone
Development

No branches or pull requests
2 participants
@YHNdnzj @dinetxum