gpt-auto-generator: Pass cryptsetup credentials to cryptsetup

cryptsetup reads a bunch of credentials now but we don't pass import those in any service units yet. Let's pass through all cryptsetup prefixed credentials to the systemd-cryptsetup@root instance.
2026-04-14 00:14:32 +09:00 · 2023-12-03 20:19:08 +01:00
parent d50bf46f19
commit b952663cd1
2 changed files with 54 additions and 1 deletions
--- a/man/systemd-cryptsetup.xml
+++ b/man/systemd-cryptsetup.xml
@@ -3,7 +3,7 @@
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
-<refentry id="systemd-cryptsetup" conditional='HAVE_LIBCRYPTSETUP'>
+<refentry id="systemd-cryptsetup" conditional='HAVE_LIBCRYPTSETUP' xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>systemd-cryptsetup</title>
@@ -104,6 +104,58 @@
    <para>If no suitable key may be acquired via any of the mechanisms describes above, volume activation fails.</para>
  </refsect1>

+  <refsect1>
+    <title>System Credentials</title>
+
+    <para><command>systemd-cryptsetup</command> supports the service credentials logic as implemented by
+    <varname>ImportCredential=</varname>/<varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
+    (see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
+    details). The following credentials are used by <literal>systemd-crypsetup@root.service</literal>
+    (generated by <command>systemd-gpt-auto-generator</command>) when passed in:</para>
+
+    <variablelist class='system-credentials'>
+      <varlistentry>
+        <term><varname>cryptsetup.passphrase</varname></term>
+
+        <listitem><para>This credential specifies the passphrase of the LUKS volume.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>cryptsetup.fido2-pin</varname></term>
+
+        <listitem><para>This credential specifies the FIDO2 token pin.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>cryptsetup.tpm2-pin</varname></term>
+
+        <listitem><para>This credential specifies the TPM pin.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>cryptsetup.luks2-pin</varname></term>
+
+        <listitem><para>This credential specifies the LUKS2 token pin.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>cryptsetup.pkcs11-pin</varname></term>
+
+        <listitem><para>This credential specifies the PKCS11 token pin.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1>
    <title>See Also</title>
    <para>