credentials
credentials
¶
Credentials-DB at-rest encryption — chooser, provisioning, migration.
Three passphrase storage modes are chosen interactively when
systemd-creds isn't available; with it, the chooser is skipped and
the credential is sealed silently. Once chosen, the mode is persisted
into config.yml so the resolution chain picks it up on the next
daemon start — session mode self-describes via the tmpfs file's
presence; keyring sets credentials.use_keyring=true; config writes
the passphrase itself into the file.
The plaintext→encrypted migration is deprecated in 0.8.0 and slated
for removal in 0.9.0. After that release fresh installs stay the
only supported entry point; operators with a stale plaintext DB must
restore from the .plaintext-backup-<stamp>.tar.gz snapshot this
phase writes before re-keying.