How to enable systemd credentials in stage1 (`boot.initrd.systemd`)?

Ramblurr · April 1, 2025, 11:29am

I am injecting a systemd credential into a qemu vm using SMBIOS OEM strings (as described in systemd’s credential docs).

In stage 2, I can see the credentials being loaded and can confirm this with systemd-creds --system

root@myvm:~/ > systemd-creds --system
NAME         SECURE SIZE PATH                                 
SOPS_AGE_KEY secure 399B /run/credentials/@system/SOPS_AGE_KEY

Apr 01 13:06:40 myvm systemd[1]: Starting Switch Root...
Apr 01 13:06:40 myvm systemd[1]: Switching root.
Apr 01 13:06:40 myvm systemd-journald[90]: Journal stopped
Apr 01 13:06:41 myvm systemd-journald[90]: Received SIGTERM from PID 1 (systemd).
Apr 01 13:06:41 myvm systemd[1]: systemd 257.3 running in system mode (+PAM +AUDIT -SELINUX +APPARMOR +IMA +IPE +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC >
Apr 01 13:06:41 myvm systemd[1]: Detected virtualization kvm.
Apr 01 13:06:41 myvm systemd[1]: Detected architecture x86-64.
Apr 01 13:06:41 myvm systemd[1]: Detected first boot.
Apr 01 13:06:41 myvm systemd[1]: Received regular credentials: SOPS_AGE_KEY
Apr 01 13:06:41 myvm systemd[1]: Acquired 1 regular credentials, 0 untrusted credentials.

stage 1

However when I try to use the credential in stage 1, the credential isn’t available.

  # this config for the guest vm
  boot.initrd.systemd = {
    enable = true;
    services.bootstrap-secrets = {
      after = [ "initrd-fs.target" ];
      before = [
        "initrd-nixos-activation.service"
        "shutdown.target"
        "initrd-switch-root.target"
      ];
      conflicts = [
        "shutdown.target"
        "initrd-switch-root.target"
      ];
      wantedBy = [ "initrd.target" ];
      unitConfig.DefaultDependencies = false;
      serviceConfig.Type = "oneshot";
      # I also tried using serviceConfig.ImportCredential, but the resulting CREDENTIAL_DIRECTORY is empty
      script = ''
        systemd-creds --system # <----- this errors out 
        # this is what I would want to do:
        mkdir -p /etc/ssh
        ${pkgs.systemd}/bin/systemd-creds --system cat SOPS_AGE_KEY > /etc/ssh/ssh_host_ed25519_key
        chmod 0600 /etc/ssh/ssh_host_ed25519_key
      '';
    };
  };

Result:

Apr 01 13:06:39 myvm systemd-creds[174]: No credentials passed to system.
Apr 01 13:06:39 myvm systemd[1]: Finished Create Volatile Files and Directories in the Real Root.
Apr 01 13:06:39 myvm systemd[1]: bootstrap-secrets.service: Main process exited, code=exited, status=1/FAILURE
Apr 01 13:06:39 myvm systemd[1]: bootstrap-secrets.service: Failed with result 'exit-code'.
Apr 01 13:06:39 myvm systemd[1]: Failed to start bootstrap-secrets.service.

I cannot find a “enable systemd credentials in stage1” toggle.

The closest thing I can find is that @JulienMalka reported an issue to systemd about stage1 crashing when using encrypted credentials, which means using credentials at all in stage 1 should be possible?

JulienMalka · April 2, 2025, 8:51am

I have in the past worked on implementing encrypted secrets in stage 1, and had a POC working. You have to use the systemd-stub for this to work iirc, which has drawbacks in terms of storage. You can have a look at the code here: Comparing NixOS:master...JulienMalka:initrd-secrets · NixOS/nixpkgs · GitHub