This is currently an experimental feature and may change at any time. If the encryption algorithm or any formatting changes it may render previously encrypted profiles unreadable. Use at you're own risk and backup any profiles which cannot be lost!

Introduced in IWD 1.25, systemd (v250+) users now have the option to encrypt their network profiles on disc. A secret key is passed from systemd to IWD and used to encrypt the profiles. This key can be set by the user or read from a TPM device. Note TPM usage is not covered in this wiki.

First, systemd must be set up to pass a secret credential to IWD. This can be done one of two ways using either SetCredentialEncrypted or LoadCredentialEncrypted. This can be done using a new systemd utility, systemd-creds.

This simplest way is to follow Example 2 in the documentation for systemd-creds and invoke something like:

  # systemd-ask-password -n | systemd-creds encrypt --name=iwd-secret -p - -
  🔐 Password: ****
  SetCredentialEncrypted=iwd-secret: \
      k6iUCUh0RJCQyvL8k8q1UyAAAAABAAAADAAAABAAAAASfFsBoPLIm/dlDoGAAAAAAAAAA \
      NAAAAAgAAAAAH4AILIOZ3w6rTzYsBy9G7liaCAd4i+Kpvs8mAgArzwuKxd0ABDjgSeO5k \
      mKQc58zM94ZffyRmuNeX1lVHE+9e2YD87KfRFNoDLS7F3YmCb347gCiSk2an9egZ7Y0Xs \
      700Kr6heqQswQEemNEc62k9RJnEl2q7SbcEYguegnPQUATgAIAAsAAAASACA/B90W7E+6 \
      yAR9NgiIJvxr9bpElztwzB5lUJAxtMBHIgAQACCaSV9DradOZz4EvO/LSaRyRSq2Hj0ym \
      gVJk/dVzE8Uxj8H3RbsT7rIBH02CIgm/Gv1ukSXO3DMHmVQkDG0wEciyageTfrVEer8z5 \
      9cUQfM5ynSaV2UjeUWEHuz4fwDsXGLB9eELXLztzUU9nsAyLvs3ZRR+eEK/A==

This can then be pasted directly into the IWD service file. Note that 'iwd-secret' can be named anything anything you want.