This is currently an experimental feature and may change at any time. Once enabled profiles are encrypted automatically and IWD cannot undo this. A tool, iwd-decrypt-profile has been provided to decrypt profiles but it is a manual process. In addition if the encryption algorithm or any formatting changes between releases it may render previously encrypted profiles unreadable. Use at you're own risk and backup any profiles which cannot be lost!
Introduced in IWD 1.25, systemd (v250+) users now have the option to encrypt their network profiles on disc. A secret key is passed from systemd to IWD and used to encrypt the profiles. This key can be set by the user or read from a TPM device. Note TPM usage is not covered in this wiki.
First, systemd must be set up to pass a secret credential to IWD. The secret can be set one of two ways using either SetCredentialEncrypted or LoadCredentialEncrypted. Systemd provides a utility for this, systemd-creds.
This simplest way is to follow Example 2 in the documentation for systemd-creds and invoke something like:
# systemd-ask-password -n | systemd-creds encrypt --name=iwd-secret -p - - 🔐 Password: **** SetCredentialEncrypted=iwd-secret: \ k6iUCUh0RJCQyvL8k8q1UyAAAAABAAAADAAAABAAAAASfFsBoPLIm/dlDoGAAAAAAAAAA \ NAAAAAgAAAAAH4AILIOZ3w6rTzYsBy9G7liaCAd4i+Kpvs8mAgArzwuKxd0ABDjgSeO5k \ mKQc58zM94ZffyRmuNeX1lVHE+9e2YD87KfRFNoDLS7F3YmCb347gCiSk2an9egZ7Y0Xs \ 700Kr6heqQswQEemNEc62k9RJnEl2q7SbcEYguegnPQUATgAIAAsAAAASACA/B90W7E+6 \ yAR9NgiIJvxr9bpElztwzB5lUJAxtMBHIgAQACCaSV9DradOZz4EvO/LSaRyRSq2Hj0ym \ gVJk/dVzE8Uxj8H3RbsT7rIBH02CIgm/Gv1ukSXO3DMHmVQkDG0wEciyageTfrVEer8z5 \ 9cUQfM5ynSaV2UjeUWEHuz4fwDsXGLB9eELXLztzUU9nsAyLvs3ZRR+eEK/A==
This can then be pasted directly into the IWD service file. Note that 'iwd-secret' can be named anything you want. Following example 1 in the documentation lets you store the encrypted secret in a file directly, and this can be set in the service file with LoadCredentialEncrypted. There is no difference from IWD's point of view with these two methods.
A new main.conf option was added, SystemdEncrypt, who's value is the identifier used with systemd-creds. In this case 'iwd-secret'
# file: main.conf [General] SystemdEncrypt=iwd-secret
Running IWD with this option enables profile encryption, and any profiles currently on the system will be encrypted automatically as discussed in the disclaimer. At this point there is nothing else needed. Any future profiles will be encrypted automatically.
Oops, I accidentally just encrypted my profiles and I want them back! Not all is lost and profiles can be decrypted back into plaintext using iwd-decrypt-profile, given you remember the password used with systemd-creds. This tool takes an input file (–infile), password/secret file (–pass/–file), and optionally a profile name (–name) if one cannot be determined based on the input file.
Note: Depending on how you set up the credentials with systemd-creds your password might have a newline appended. This is due to systemd ultimately storing it in a file and appending a newline character, shown in the example below.
./tools/iwd-decrypt-profile --infile /var/lib/iwd/MySSID.psk --pass secret123$'\n'
This should output the plaintext profile to stdout.