systemd-age-creds

command module
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 28, 2025 License: MIT Imports: 17 Imported by: 0

README

systemd-age-creds

Load age encrypted credentials in systemd units.

At the moment, systemd-creds only support symmetric encryption requiring secrets to be encrypted on the machine with the TPM itself. Though, it's on the systemd TODO to add one day.

Solutions like SOPS allow secrets to be encrypted elsewhere, checked into git and then only decrypted on the deployment host. It would be nice if a similar pattern could be applied to systemd credentials.

systemd-age-creds provides a service credential server over AF_UNIX socket to provide age encrypted credentials to systemd units using LoadCredential.

Usage

systemd-age-creds.socket

[Unit]
Description=age credential socket

[Socket]
ListenStream=%t/systemd-age-creds.sock
SocketMode=0600
Service=systemd-age-creds.service

[Install]
WantedBy=sockets.target

systemd-age-creds.service

[Unit]
Description=age credential server
Requires=systemd-age-creds.socket
# After=tpm

[Service]
Type=simple
ExecStart=/path/to/bin/systemd-age-creds -i /path/to/age-key.txt /path/to/secrets

foo.service

[Service]
ExecStart=/usr/bin/myservice.sh
# Instead of loading a symmetrically encrypted systemd cred from a file,
# LoadCredentialEncrypted=foobar:/etc/credstore/myfoobarcredential.txt
#
# You can reference the credential id loading from the systemd-age-creds socket.
LoadCredential=foobar:%t/systemd-age-creds.sock
Nix

This project was originally written to meet the needs of NixOS systems. However, nothing about the service itself is dependent on Nix. But if you are using NixOS, you can use this repository as a flake input to get access to NixOS modules that make defining the necessary system units easier.

{ config, inputs }: {
  imports = [ inputs.systemd-age-creds.nixosModules.default ];

  services.systemd-age-creds = {
    enable = true;
    identity = "/path/to/age/key.txt";
    directory = ./path/to/secrets;
  };

  systemd.services.example = {
    serviceConfig = {
      LoadCredential = [
        "foobar:${config.services.systemd-age-creds.socket}"
      ];
    };
  };
}

See Also

systemd Credentials, systemd-creds, age, age-plugin-tpm

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.