'\" t
.TH "SYSTEMD\&.SYSTEM\-CREDENTIALS" "7" "" "systemd 255" "systemd.system-credentials"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
systemd.system-credentials \- System Credentials
.SH "DESCRIPTION"
.PP
\m[blue]\fBSystem and Service Credentials\fR\m[]\&\s-2\u[1]\d\s+2
are data objects that may be passed into booted systems or system services as they are invoked\&. They can be acquired from various external sources, and propagated into the system and from there into system services\&. Credentials may optionally be encrypted with a machine\-specific key and/or locked to the local TPM2 device, and are only decrypted when the consuming service is invoked\&.
.PP
System credentials may be used to provision and configure various aspects of the system\&. Depending on the consuming component credentials are only used on initial invocations or are needed for all invocations\&.
.PP
Credentials may be used for any kind of data, binary or text, and may carry passwords, secrets, certificates, cryptographic key material, identity information, configuration, and more\&.
.SH "WELL KNOWN SYSTEM CREDENTIALS"
.PP
\fIfirstboot\&.keymap\fR
.RS 4
The console key mapping to set (e\&.g\&.
"de")\&. Read by
\fBsystemd-firstboot\fR(1), and only honoured if no console keymap has been configured before\&.
.sp
Added in version 252\&.
.RE
.PP
\fIfirstboot\&.locale\fR, \fIfirstboot\&.locale\-messages\fR
.RS 4
The system locale to set (e\&.g\&.
"de_DE\&.UTF\-8")\&. Read by
\fBsystemd-firstboot\fR(1), and only honoured if no locale has been configured before\&.
\fIfirstboot\&.locale\fR
sets
"LANG", while
\fIfirstboot\&.locale\-message\fR
sets
"LC_MESSAGES"\&.
.sp
Added in version 252\&.
.RE
.PP
\fIfirstboot\&.timezone\fR
.RS 4
The system timezone to set (e\&.g\&.
"Europe/Berlin")\&. Read by
\fBsystemd-firstboot\fR(1), and only honoured if no system timezone has been configured before\&.
.sp
Added in version 252\&.
.RE
.PP
\fIlogin\&.issue\fR
.RS 4
The data of this credential is written to
/etc/issue\&.d/50\-provision\&.conf, if the file doesn\*(Aqt exist yet\&.
\fBagetty\fR(8)
reads this file and shows its contents at the login prompt of terminal logins\&. See
\fBissue\fR(5)
for details\&.
.sp
Consumed by
/usr/lib/tmpfiles\&.d/provision\&.conf, see
\fBtmpfiles.d\fR(5)\&.
.sp
Added in version 252\&.
.RE
.PP
\fIlogin\&.motd\fR
.RS 4
The data of this credential is written to
/etc/motd\&.d/50\-provision\&.conf, if the file doesn\*(Aqt exist yet\&.
\fBpam_motd\fR(8)
reads this file and shows its contents as "message of the day" during terminal logins\&. See
\fBmotd\fR(5)
for details\&.
.sp
Consumed by
/usr/lib/tmpfiles\&.d/provision\&.conf, see
\fBtmpfiles.d\fR(5)\&.
.sp
Added in version 252\&.
.RE
.PP
\fInetwork\&.hosts\fR
.RS 4
The data of this credential is written to
/etc/hosts, if the file doesn\*(Aqt exist yet\&. See
\fBhosts\fR(5)
for details\&.
.sp
Consumed by
/usr/lib/tmpfiles\&.d/provision\&.conf, see
\fBtmpfiles.d\fR(5)\&.
.sp
Added in version 252\&.
.RE
.PP
\fInetwork\&.dns\fR, \fInetwork\&.search_domains\fR
.RS 4
DNS server information and search domains\&. Read by
\fBsystemd-resolved.service\fR(8)\&.
.sp
Added in version 253\&.
.RE
.PP
\fIpasswd\&.hashed\-password\&.root\fR, \fIpasswd\&.plaintext\-password\&.root\fR
.RS 4
May contain the password (either in UNIX hashed format, or in plaintext) for the root users\&. Read by both
\fBsystemd-firstboot\fR(1)
and
\fBsystemd-sysusers\fR(1), and only honoured if no root password has been configured before\&.
.sp
Added in version 252\&.
.RE
.PP
\fIpasswd\&.shell\&.root\fR
.RS 4
The path to the shell program (e\&.g\&.
"/bin/bash") for the root user\&. Read by both
\fBsystemd-firstboot\fR(1)
and
\fBsystemd-sysusers\fR(1), and only honoured if no root shell has been configured before\&.
.sp
Added in version 252\&.
.RE
.PP
\fIssh\&.authorized_keys\&.root\fR
.RS 4
The data of this credential is written to
/root/\&.ssh/authorized_keys, if the file doesn\*(Aqt exist yet\&. This allows provisioning SSH access for the system\*(Aqs root user\&.
.sp
Consumed by
/usr/lib/tmpfiles\&.d/provision\&.conf, see
\fBtmpfiles.d\fR(5)\&.
.sp
Added in version 252\&.
.RE
.PP
\fIsysusers\&.extra\fR
.RS 4
Additional
\fBsysusers.d\fR(5)
lines to process during boot\&.
.sp
Added in version 252\&.
.RE
.PP
\fIsysctl\&.extra\fR
.RS 4
Additional
\fBsysctl.d\fR(5)
lines to process during boot\&.
.sp
Added in version 252\&.
.RE
.PP
\fItmpfiles\&.extra\fR
.RS 4
Additional
\fBtmpfiles.d\fR(5)
lines to process during boot\&.
.sp
Added in version 252\&.
.RE
.PP
\fIfstab\&.extra\fR
.RS 4
Additional mounts to establish at boot\&. For details, see
\fBsystemd-fstab-generator\fR(8)\&.
.sp
Added in version 254\&.
.RE
.PP
\fIvconsole\&.keymap\fR, \fIvconsole\&.keymap_toggle\fR, \fIvconsole\&.font\fR, \fIvconsole\&.font_map\fR, \fIvconsole\&.font_unimap\fR
.RS 4
Console settings to apply, see
\fBsystemd-vconsole-setup.service\fR(8)
for details\&.
.sp
Added in version 253\&.
.RE
.PP
\fIgetty\&.ttys\&.serial\fR, \fIgetty\&.ttys\&.container\fR
.RS 4
Used for spawning additional login prompts, see
\fBsystemd-getty-generator\fR(8)
for details\&.
.sp
Added in version 254\&.
.RE
.PP
\fIvmm\&.notify_socket\fR
.RS 4
Configures an
\fBsd_notify\fR(3)
compatible
\fBAF_VSOCK\fR
socket the service manager will report status information, ready notification and exit status on\&. For details see
\fBsystemd\fR(1)\&.
.sp
Added in version 253\&.
.RE
.PP
\fIsystem\&.machine_id\fR
.RS 4
Takes a 128bit ID to initialize the machine ID from (if it is not set yet)\&. Interpreted by the service manager (PID 1)\&. For details see
\fBsystemd\fR(1)\&.
.sp
Added in version 254\&.
.RE
.SH "SEE ALSO"
.PP
\fBsystemd\fR(1),
\fBkernel-command-line\fR(7),
\fBsmbios-type-11\fR(7)
.SH "NOTES"
.IP " 1." 4
System and Service Credentials
.RS 4
\%https://systemd.io/CREDENTIALS
.RE