This is currently an experimental feature and may change at any time. Once enabled profiles are encrypted automatically and IWD cannot undo this. A tool has been provided to decrypt profiles but it is a manual process. In addition if the encryption algorithm or any formatting changes between releases it may render previously encrypted profiles unreadable. Use at you're own risk and backup any profiles which cannot be lost!

Introduced in IWD 1.25, systemd (v250+) users now have the option to encrypt their network profiles on disc. A secret key is passed from systemd to IWD and used to encrypt the profiles. This key can be set by the user or read from a TPM device. Note TPM usage is not covered in this wiki.

First, systemd must be set up to pass a secret credential to IWD. This can be done one of two ways using either SetCredentialEncrypted or LoadCredentialEncrypted. This can be done using a new systemd utility, systemd-creds.

This simplest way is to follow Example 2 in the documentation for systemd-creds and invoke something like:

  # systemd-ask-password -n | systemd-creds encrypt --name=iwd-secret -p - -
  🔐 Password: ****
  SetCredentialEncrypted=iwd-secret: \
      k6iUCUh0RJCQyvL8k8q1UyAAAAABAAAADAAAABAAAAASfFsBoPLIm/dlDoGAAAAAAAAAA \
      NAAAAAgAAAAAH4AILIOZ3w6rTzYsBy9G7liaCAd4i+Kpvs8mAgArzwuKxd0ABDjgSeO5k \
      mKQc58zM94ZffyRmuNeX1lVHE+9e2YD87KfRFNoDLS7F3YmCb347gCiSk2an9egZ7Y0Xs \
      700Kr6heqQswQEemNEc62k9RJnEl2q7SbcEYguegnPQUATgAIAAsAAAASACA/B90W7E+6 \
      yAR9NgiIJvxr9bpElztwzB5lUJAxtMBHIgAQACCaSV9DradOZz4EvO/LSaRyRSq2Hj0ym \
      gVJk/dVzE8Uxj8H3RbsT7rIBH02CIgm/Gv1ukSXO3DMHmVQkDG0wEciyageTfrVEer8z5 \
      9cUQfM5ynSaV2UjeUWEHuz4fwDsXGLB9eELXLztzUU9nsAyLvs3ZRR+eEK/A==

This can then be pasted directly into the IWD service file. Note that 'iwd-secret' can be named anything anything you want.

A new main.conf option was added, SystemdEncrypt, who's value is the identifier used with systemd-creds. In this case 'iwd-secret'

  # file: main.conf
  SystemdEncrypt=iwd-secret

Running IWD with this option enables profile encryption, and any profiles currently on the system will be encrypted automatically as discussed in the disclaimer.