Some config values are treated as secrets and may be loaded from
systemd encrypted credentials instead of plaintext config.ini: auth-token
Requirements
LoadCredentialEncrypted= requires systemd ≥250
Provisioning
Run the helper to encrypt the secrets, install the `LoadCredentialEncrypted=` override, reload, and restart the service. The script can be found at this link https://downloads.iconik.io/utils/systemd_creds_setup.sh:
sudo ./systemd_creds_setup.shThe encrypted blobs live at /etc/credstore.encrypted/ with mode 0400 owned by root. At runtime, systemd decrypts them and exposes plaintext files to the service via $CREDENTIALS_DIRECTORY (a tmpfs mounted only inside the service's namespace).
Provisioning (without script)
Skip these if you used the script instead. Following instructions describe manual steps of what is done above by executing the systemd_creds_setup.sh
To enable encrypted credentials add `LoadCredentialEncrypted=` to your custom override (sudo systemctl edit iconik_storage_gateway.service):
[Service]
LoadCredentialEncrypted=auth-token:/etc/credstore.encrypted/iconik-isg.auth-tokenSet new encrypted credential to the specified path:
systemd-ask-password -n "auth-token: " | sudo systemd-creds encrypt --name=auth-token - /etc/credstore.encrypted/iconik-isg.auth-token
sudo chmod 0400 /etc/credstore.encrypted/iconik-isg.auth-tokenAfter adding your credential you need to restart service.
sudo systemctl daemon-reload
sudo systemctl restart iconik_storage_gatewayThe encrypted blobs live at /etc/credstore.encrypted/ with mode 0400 owned by root. At runtime, systemd decrypts them and exposes plaintext files to the service via $CREDENTIALS_DIRECTORY (a tmpfs mounted only inside the service's namespace).
Credentials are host-bound
Each encrypted blob is bound to the host's TPM2 (when available) or to /var/lib/systemd/credential.secret. Copying /etc/credstore.encrypted/* to another machine will not work. Re-run systemd_creds_setup.sh on the new host after migration or clone.
Migrating an existing plaintext install
You can download and run systemd_creds_migrate.sh to encrypt auth-token from the already configured config.ini file: https://downloads.iconik.io/utils/systemd_creds_migrate.sh
The script will perform the following steps:
1. Copy the existing value out of /etc/iconik/iconik_storage_gateway/config.ini.
2. Setup systemd encrypted credentials using the extracted value from the config.ini file.
3. Remove the auth-token line from the config.ini file.
4. Finally, it will restart the service - systemctl restart iconik_storage_gateway.
Check journalctl -u iconik_storage_gateway for a clean startup.
If a secret is configured both in config.ini and via systemd credentials, the credential wins.
Falling back to plaintext
If you cannot or do not want to use systemd credentials, simply provide the
secrets in /etc/iconik/iconik_storage_gateway/config.ini as before. The
reader resolution order is: command-line argument → $CREDENTIALS_DIRECTORY
→ config.ini.