User Tools

Site Tools


profile_encryption

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
profile_encryption [2022/03/10 17:58]
James Prestwood
profile_encryption [2022/03/10 18:27]
James Prestwood [Setup (systemd)]
Line 1: Line 1:
 ====== Profile Encryption ====== ====== Profile Encryption ======
-This is currently an experimental feature and may change at any time. If the encryption algorithm or any formatting changes it may render previously encrypted profiles unreadable. Use at you're own risk and backup any profiles which cannot be lost!+== Disclaimer == 
 +This is currently an experimental feature and may change at any time. Once enabled profiles are encrypted automatically and IWD cannot undo this. A tool, iwd-decrypt-profile has been provided to decrypt profiles but it is a manual process. In addition if the encryption algorithm or any formatting changes ​between releases ​it may render previously encrypted profiles unreadable. Use at you're own risk and backup any profiles which cannot be lost!
  
 ==== Introduction ==== ==== Introduction ====
 Introduced in IWD 1.25, systemd (v250+) users now have the option to encrypt their network profiles on disc. A secret key is passed from systemd to IWD and used to encrypt the profiles. This key can be set by the user or read from a TPM device. Note TPM usage is not covered in this wiki. Introduced in IWD 1.25, systemd (v250+) users now have the option to encrypt their network profiles on disc. A secret key is passed from systemd to IWD and used to encrypt the profiles. This key can be set by the user or read from a TPM device. Note TPM usage is not covered in this wiki.
  
-==== Usage (systemd) ==== +==== Setup (systemd) ==== 
-First, systemd must be set up to pass a secret credential to IWD. This can be done one of two ways using either SetCredentialEncrypted or LoadCredentialEncrypted. ​This can be done using new systemd ​utility, [[https://​www.freedesktop.org/​software/​systemd/​man/​systemd-creds.html|systemd-creds]].+First, systemd must be set up to pass a secret credential to IWD. The secret ​can be set one of two ways using either ​**SetCredentialEncrypted** or **LoadCredentialEncrypted**Systemd provides ​a utility ​for this, [[https://​www.freedesktop.org/​software/​systemd/​man/​systemd-creds.html|systemd-creds]].
  
 This simplest way is to follow Example 2 in the documentation for systemd-creds and invoke something like: This simplest way is to follow Example 2 in the documentation for systemd-creds and invoke something like:
Line 21: Line 22:
         9cUQfM5ynSaV2UjeUWEHuz4fwDsXGLB9eELXLztzUU9nsAyLvs3ZRR+eEK/​A==         9cUQfM5ynSaV2UjeUWEHuz4fwDsXGLB9eELXLztzUU9nsAyLvs3ZRR+eEK/​A==
  
-This can then be pasted directly into the IWD service file. Note that '​iwd-secret'​ can be named anything ​anything you want.+This can then be pasted directly into the IWD service file. Note that '**iwd-secret**' can be named anything you want. Following example 1 in the documentation lets you store the encrypted secret in a file directly, and this can be set in the service file with **LoadCredentialEncrypted**. There is no difference from IWD's point of view with these two methods.
  
 +==== Setup (IWD) ====
 +A new main.conf option was added, **SystemdEncrypt**,​ who's value is the identifier used with systemd-creds. In this case '​iwd-secret'​
  
 +    # file: main.conf
 +    SystemdEncrypt=iwd-secret
  
 +Running IWD with this option enables profile encryption, and any profiles currently on the system will be encrypted automatically as discussed in the disclaimer. At this point there is nothing else needed. Any future profiles will be encrypted automatically.
 +
 +==== Decrypting Profiles ====
 +Oops, I accidentally just encrypted my profiles and I want them back! Not all is lost and profiles can be decrypted back into plaintext using iwd-decrypt-profile,​ given you remember the password used with systemd-creds. This tool takes an input file (**--infile**),​ password/​secret file (**--pass/​--file**),​ and optionally a profile name (**--name**) if one cannot be determined based on the input file.
 +
 +Note: Depending on how you set up the credentials with systemd-creds your password might have a newline appended. This is due to systemd ultimately storing it in a file and appending a newline character, shown in the example below.
 +
 +    ./​tools/​iwd-decrypt-profile --infile /​var/​lib/​iwd/​MySSID.psk --pass secret123$'​\n'​
 +
 +This should output the plaintext profile to stdout.
  
profile_encryption.txt · Last modified: 2022/03/11 16:35 by James Prestwood