'\" t
.TH "SYSTEMD\&.SYSTEM\-CREDENTIALS" "7" "" "systemd 256~rc3" "systemd.system-credentials"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
systemd.system-credentials \- System Credentials
.SH "DESCRIPTION"
.PP
\m[blue]\fBSystem and Service Credentials\fR\m[]\&\s-2\u[1]\d\s+2
are data objects that may be passed into booted systems or system services as they are invoked\&. They can be acquired from various external sources, and propagated into the system and from there into system services\&. Credentials may optionally be encrypted with a machine\-specific key and/or locked to the local TPM2 device, and are only decrypted when the consuming service is invoked\&.
.PP
System credentials may be used to provision and configure various aspects of the system\&. Depending on the consuming component credentials are only used on initial invocations or are needed for all invocations\&.
.PP
Credentials may be used for any kind of data, binary or text, and may carry passwords, secrets, certificates, cryptographic key material, identity information, configuration, and more\&.
.SH "WELL KNOWN SYSTEM CREDENTIALS"
.PP
\fIfirstboot\&.keymap\fR
.RS 4
The console key mapping to set (e\&.g\&.
"de")\&. Read by
\fBsystemd-firstboot\fR(1), and only honoured if no console keymap has been configured before\&.
.sp
Added in version 252\&.
.RE
.PP
\fIfirstboot\&.locale\fR, \fIfirstboot\&.locale\-messages\fR
.RS 4
The system locale to set (e\&.g\&.
"de_DE\&.UTF\-8")\&. Read by
\fBsystemd-firstboot\fR(1), and only honoured if no locale has been configured before\&.
\fIfirstboot\&.locale\fR
sets
"LANG", while
\fIfirstboot\&.locale\-message\fR
sets
"LC_MESSAGES"\&.
.sp
Added in version 252\&.
.RE
.PP
\fIfirstboot\&.timezone\fR
.RS 4
The system timezone to set (e\&.g\&.
"Europe/Berlin")\&. Read by
\fBsystemd-firstboot\fR(1), and only honoured if no system timezone has been configured before\&.
.sp
Added in version 252\&.
.RE
.PP
\fIlogin\&.issue\fR
.RS 4
The data of this credential is written to
/etc/issue\&.d/50\-provision\&.conf, if the file doesn\*(Aqt exist yet\&.
\fBagetty\fR(8)
reads this file and shows its contents at the login prompt of terminal logins\&. See
\fBissue\fR(5)
for details\&.
.sp
Consumed by
/usr/lib/tmpfiles\&.d/provision\&.conf, see
\fBtmpfiles.d\fR(5)\&.
.sp
Added in version 252\&.
.RE
.PP
\fIlogin\&.motd\fR
.RS 4
The data of this credential is written to
/etc/motd\&.d/50\-provision\&.conf, if the file doesn\*(Aqt exist yet\&.
\fBpam_motd\fR(8)
reads this file and shows its contents as "message of the day" during terminal logins\&. See
\fBmotd\fR(5)
for details\&.
.sp
Consumed by
/usr/lib/tmpfiles\&.d/provision\&.conf, see
\fBtmpfiles.d\fR(5)\&.
.sp
Added in version 252\&.
.RE
.PP
\fInetwork\&.hosts\fR
.RS 4
The data of this credential is written to
/etc/hosts, if the file doesn\*(Aqt exist yet\&. See
\fBhosts\fR(5)
for details\&.
.sp
Consumed by
/usr/lib/tmpfiles\&.d/provision\&.conf, see
\fBtmpfiles.d\fR(5)\&.
.sp
Added in version 252\&.
.RE
.PP
\fInetwork\&.dns\fR, \fInetwork\&.search_domains\fR
.RS 4
DNS server information and search domains\&. Read by
\fBsystemd-resolved.service\fR(8)\&.
.sp
Added in version 253\&.
.RE
.PP
\fInetwork\&.conf\&.*\fR, \fInetwork\&.link\&.*\fR, \fInetwork\&.netdev\&.*\fR, \fInetwork\&.network\&.*\fR
.RS 4
Configures network devices\&. Read by
\fBsystemd-network-generator.service\fR(8)\&. These credentials should contain valid
\fBnetworkd.conf\fR(5),
\fBsystemd.link\fR(5),
\fBsystemd.netdev\fR(5),
\fBsystemd.network\fR(5)
configuration data\&. From each matching credential a separate file is created\&. Example: the contents of a credential
network\&.link\&.50\-foobar
will be copied into a file
50\-foobar\&.link\&.
.sp
Note that the resulting files are created world\-readable, it\*(Aqs hence recommended to not include secrets in these credentials, but supply them via separate credentials directly to
systemd\-networkd\&.service, e\&.g\&.
\fInetwork\&.wireguard\&.*\fR
as described below\&.
.sp
Added in version 256\&.
.RE
.PP
\fInetwork\&.wireguard\&.*\fR
.RS 4
Configures secrets for WireGuard netdevs\&. Read by
\fBsystemd-networkd.service\fR(8)\&. For more information, refer to the
\fB[WireGuard]\fR
section of
\fBsystemd.netdev\fR(5)\&.
.sp
Added in version 256\&.
.RE
.PP
\fIpasswd\&.hashed\-password\&.root\fR, \fIpasswd\&.plaintext\-password\&.root\fR
.RS 4
May contain the password (either in UNIX hashed format, or in plaintext) for the root users\&. Read by both
\fBsystemd-firstboot\fR(1)
and
\fBsystemd-sysusers\fR(1), and only honoured if no root password has been configured before\&.
.sp
Added in version 252\&.
.RE
.PP
\fIpasswd\&.shell\&.root\fR
.RS 4
The path to the shell program (e\&.g\&.
"/bin/bash") for the root user\&. Read by both
\fBsystemd-firstboot\fR(1)
and
\fBsystemd-sysusers\fR(1), and only honoured if no root shell has been configured before\&.
.sp
Added in version 252\&.
.RE
.PP
\fIssh\&.authorized_keys\&.root\fR
.RS 4
The data of this credential is written to
/root/\&.ssh/authorized_keys, if the file doesn\*(Aqt exist yet\&. This allows provisioning SSH access for the system\*(Aqs root user\&.
.sp
Consumed by
/usr/lib/tmpfiles\&.d/provision\&.conf, see
\fBtmpfiles.d\fR(5)\&.
.sp
Added in version 252\&.
.RE
.PP
\fIssh\&.listen\fR
.RS 4
May be used to configure SSH sockets the system shall be reachable on\&. See
\fBsystemd-ssh-generator\fR(8)
for details\&.
.sp
Added in version 256\&.
.RE
.PP
\fIsysusers\&.extra\fR
.RS 4
Additional
\fBsysusers.d\fR(5)
lines to process during boot\&.
.sp
Added in version 252\&.
.RE
.PP
\fIsysctl\&.extra\fR
.RS 4
Additional
\fBsysctl.d\fR(5)
lines to process during boot\&.
.sp
Added in version 252\&.
.RE
.PP
\fItmpfiles\&.extra\fR
.RS 4
Additional
\fBtmpfiles.d\fR(5)
lines to process during boot\&.
.sp
Added in version 252\&.
.RE
.PP
\fIfstab\&.extra\fR
.RS 4
Additional mounts to establish at boot\&. For details, see
\fBsystemd-fstab-generator\fR(8)\&.
.sp
Added in version 254\&.
.RE
.PP
\fIvconsole\&.keymap\fR, \fIvconsole\&.keymap_toggle\fR, \fIvconsole\&.font\fR, \fIvconsole\&.font_map\fR, \fIvconsole\&.font_unimap\fR
.RS 4
Console settings to apply, see
\fBsystemd-vconsole-setup.service\fR(8)
for details\&.
.sp
Added in version 253\&.
.RE
.PP
\fIgetty\&.ttys\&.serial\fR, \fIgetty\&.ttys\&.container\fR
.RS 4
Used for spawning additional login prompts, see
\fBsystemd-getty-generator\fR(8)
for details\&.
.sp
Added in version 254\&.
.RE
.PP
\fIjournal\&.forward_to_socket\fR
.RS 4
Used by
\fBsystemd-journald\fR(8)
to determine where to forward log messages for socket forwarding, see
\fBjournald.conf\fR(5)
for details\&.
.sp
Added in version 256\&.
.RE
.PP
\fIjournal\&.storage\fR
.RS 4
Used by
\fBsystemd-journald\fR(8)
to determine where to store journal files, see
\fBjournald.conf\fR(5)
for details\&.
.sp
Added in version 256\&.
.RE
.PP
\fIvmm\&.notify_socket\fR
.RS 4
Configures an
\fBsd_notify\fR(3)
compatible
\fBAF_VSOCK\fR
socket the service manager will report status information, ready notification and exit status on\&. For details see
\fBsystemd\fR(1)\&.
.sp
Added in version 253\&.
.RE
.PP
\fIsystem\&.machine_id\fR
.RS 4
Takes a 128bit ID to initialize the machine ID from (if it is not set yet)\&. Interpreted by the service manager (PID 1)\&. For details see
\fBsystemd\fR(1)\&.
.sp
Added in version 254\&.
.RE
.PP
\fIsystem\&.hostname\fR
.RS 4
Accepts a (transient) hostname to configure during early boot\&. The static hostname specified in
/etc/hostname, if configured, takes precedence over this setting\&. Interpreted by the service manager (PID 1)\&. For details see
\fBsystemd\fR(1)\&.
.sp
Added in version 254\&.
.RE
.PP
\fIhome\&.create\&.*\fR
.RS 4
Creates a home area for the specified user with the user record data passed in\&. For details see
\fBhomectl\fR(1)\&.
.sp
Added in version 256\&.
.RE
.PP
\fIcryptsetup\&.passphrase\fR, \fIcryptsetup\&.tpm2\-pin\fR, \fIcryptsetup\&.fido2\-pin\fR, \fIcryptsetup\&.pkcs11\-pin\fR, \fIcryptsetup\&.luks2\-pin\fR
.RS 4
Specifies the passphrase/PINs to use for unlock encrypted storage volumes\&. For details see
\fBsystemd-cryptsetup\fR(8)\&.
.sp
Added in version 256\&.
.RE
.PP
\fIsystemd\&.extra\-unit\&.*\fR, \fIsystemd\&.unit\-dropin\&.*\fR
.RS 4
These credentials specify extra units and drop\-ins to add to the system\&. For details see
\fBsystemd-debug-generator\fR(8)\&.
.sp
Added in version 256\&.
.RE
.PP
\fIudev\&.conf\&.*\fR, \fIudev\&.rules\&.*\fR
.RS 4
Configures udev configuration file and udev rules\&. Read by
systemd\-udev\-load\-credentials\&.service, which invokes
\fBudevadm control \-\-load\-credentials\fR\&. These credentials directly translate to a matching
\fBudev.conf\fR(5)
or
\fBudev\fR(7)
rules file\&. Example: the contents of a credential
udev\&.conf\&.50\-foobar
will be copied into a file
/run/udev/udev\&.conf\&.d/50\-foobar\&.conf, and
udev\&.rules\&.50\-foobar
will be copied into a file
/run/udev/rules\&.d/50\-foobar\&.rules\&. See
\fBudev\fR(7),
\fBudev.conf\fR(5), and
\fBudevadm\fR(8)
for details\&.
.sp
Added in version 256\&.
.RE
.SH "SEE ALSO"
.PP
\fBsystemd\fR(1), \fBkernel-command-line\fR(7), \fBsmbios-type-11\fR(7)
.SH "NOTES"
.IP " 1." 4
System and Service Credentials
.RS 4
\%https://systemd.io/CREDENTIALS
.RE