KeyringMode setting
The property KeyringMode is a systemd unit setting used for sandboxing. It is available since systemd 235.
Purpose: controls kernel session keyring and define what is available to the service
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use KeyringMode
Systemd has the unit setting KeyringMode that controls how the kernel session keyring is configured. It allows or prevents access to a keyring of a user. This way key material can be protected and blocked for processes that should not need access to it.
Generic advice
For most system services, the ‘private’ value is advised. This ensures that no user keyring is linked. This is especially useful for services running with the root user.
[Service]
KeyringMode=private
To see if a program requires access to a keyring, track if the following syscalls are used.
- add_key(2)
- request_key(2)
Values
Systemd unit setting KeyringMode expects a string value.
Value | Intended action | Available since systemd version |
---|---|---|
inherit | applies default behavior of the kernel, meaning no special keyring setup is performed | 235 |
private | allocates new session keyring, not linking any user keyring | 235 |
shared | same as private setting, but links keyring to the user specified with User= setting | 235 |
Example to show the current value of KeyringMode for the ssh service:
systemctl show --property=KeyringMode ssh.service