systemd-creds

Encrypt file with name

$ systemd-creds encrypt --name [name] [input] [output]

$ systemd-creds decrypt [input] [output]

$ echo -n [text] | systemd-creds encrypt --name [name] - [output]

$ echo -n [text] | systemd-creds encrypt --name [name] --pretty - - >> [unit.service]

$ systemd-creds encrypt --not-after "[timestamp]" [input] [output]

systemd-creds [OPTIONS] COMMAND

systemd-creds manages encrypted credentials for systemd services. Credentials are encrypted secrets that can be securely passed to services via the `$CREDENTIALS_DIRECTORY` mechanism.
Credentials can be encrypted with the host key, TPM2, or both. They support time-based expiry and can be embedded directly in unit files using the `--pretty` format.

--name= NAME

Set credential name

Output in format suitable for unit files

Set credential expiry time

Encryption key source (host, tpm2, etc.)

encrypt INPUT OUTPUT

Encrypt a credential

Decrypt a credential

List available credentials

Show credential content

Host-encrypted credentials are tied to the specific machine. TPM2-encrypted credentials require TPM hardware. Credentials must be decrypted by systemd, not manually accessible to services.

systemd-creds was added to provide secure secret management for services, replacing environment variables and world-readable files for storing sensitive configuration.

systemd.exec(5), systemctl(1)