Implement systemd-ask-password agent
Feature summary
Implement support for a systemd-ask-password agent.
This is used by systemd to obtain passwords/pin codes/etc whenever it needs to decrypt something. Specifically: encrypted block devices and encrypted credentials. This is the same mechanism systemd uses to communicate with plymouth during a full-disk-encryption boot.
The systemd-ask-password requests can be triggered in a running system, in response to unit start requests (i.e. if the service has some encrypted credentials, or you're activating a .mount
unit), or when disks are mounted (not via udisks). systemd's command line tools (specifically: systemctl) automatically spawn an agent to allow the request to be completed. If triggered over dbus, however, no such agent exists, and the only way to fully activate the unit is to either A) switch to a tty, where systemd automatically spawns an agent, or B) open a terminal and run sudo systemd-tty-ask-password-agent
GNOME supporting this would go a long way to help encourage systemd service authors to make better use of (encrypted) credentials.
How would you like it to work
- systemd, for whatever reason, needs a password/pin
- systemd creates a request using its systemd-ask-password protocol
- GNOME pops up a system dialog, not unlike the Polkit or GIO mount dialog, which services the systemd-ask-password request
- systemd obtains the password/pin it needs
Relevant links, screenshots, screencasts etc.
https://systemd.io/PASSWORD_AGENTS/ (note: they mention here that they already have a GNOME agent. This is out-of-date information. They do not anymore)