Systemd-creds, issue with LoadCredentialEncrypted

Hey! I’m not sure if this is a bit too general question for NixDiscourse but here we go!

So I am using LoadCredentials right now within my service, and I have credentials service that essentially runs script during rebuild, and then checks if those results were valid, and stops the service from running them again and again.

My LoadCredentials is like LoadCredential = [ “test:/etc/credstore/test_cred” ];
and environmentVariable that gets this credentials takes it as environment = { TEST_CRED=“%d/test” };

and this works just fine.

However! When I try to change the logic to LoadCredentialEncrypted = [ “test:/etc/credstore/test_cred.encrypted” ];

Im getting an error status=243/CREDENTIAL withing systemctl status. I tried with restart option too, but it just keeps on restarting.

The thing is, my credentialService runs a script that uses systemd-creds encrypt for the credential, and spits out test_cred.encrypted. This indeed works as it appears in the credstore, and as stated by the systemd-creds documentation:

  1. LoadCredentialEncrypted= is similar to LoadCredential= but will load an encrypted credential, and decrypt it before passing it to the service. For details on credential encryption, see below.

I can also manually decrypt the encrypted credential and it matches the plaintext one.

  • I do not have access to TPM2 module.
    Could there be some general hardening options that are causing this error ?
    As far as I believe this is only related to tpm2 module:

When DevicePolicy= is set to "closed " or "strict ", or set to "auto " and DeviceAllow= is set, or PrivateDevices= is set, then this setting adds /dev/tpmrm0 with rw mode to DeviceAllow= . See systemd.resource-control(5) for the details about DevicePolicy= or DeviceAllow= .

Anything obvious I am missing ? Thank you.

1 Like

This one has been resolved. It seems like there was just some naming convention at play. Essentially, I had to use “test_cred.encrypted:/etc/credstore/test_cred.encrypted” ];

{ TEST_CRED=“%d/test_cred.encrypted” }; precisely.