Re: Using systemd-creds for sharing secrets between services

[Lennart Poettering <lennart@xxxxxxxxxxxxxx>]

On Di, 11.07.23 08:10, Orit Kashany (okashany@xxxxxxxxxx) wrote:

> Hi,
>
> I have one service that securely receives a user password. I need to
> send this password to another service without transmitting it as
> plaintext over D-Bus, considering security aspects.
>
> I came across systemd-creds. I managed to enable openssl in systemd
> compilation and to encrypt/decrypt a file from the
> terminal. However, I haven’t found any examples of how to use
> system-creds in a C++ program. Are there any relevant APIs in
> system-devel? If so, what is the exact API I should use to encrypt
> data in one service and decrypt it in another?

Right now, encryption happens with the "systemd-creds" tool only.

Decryption happens usually during service activation, i.e. all
encrypted credentials configured for the service via
ImportCredential=, LoadCredentialEncrypted=, SetCredentialEncrypted=
will be decrypted when it acivated and are then accessible as simple
files from $CREDENTIALS_DIRECTORY.

Alternatively, you can also decrypt via "systemd-creds".

We currently offer no library calls that can encrypt/decrypt
credentials this way. And frankly, it's unlikely that we'll add that,
since this involves communication with the TPM chip, which is
something we don't expect regular apps to have access to. However, we
do want to provide an API for applications via IPC eventually, which
can do more or less what "systemd-creds" can do. Until then, the way
to go is shelling out to the tool.

Lennart

--
Lennart Poettering, Berlin