Here's the 6th installment of posts highlighting key new features of the upcoming v257 release of systemd. #systemd257
Most forms of Linux full disk encryption today imply some form of interactivity at boot: the user is prompted for a passphrase during early boot, and only when provided the root file system can be unlocked and the boot process may proceed.
Since early in systemd's development asking interactively for a passphrase has been taken over by the systemd-ask-password logic.
The logic allows components of the OS to query for passwords, and "agents" to ten interactively query the user for them. systemd brings an agent with it out of the box: it can query for the password on a TTY/the console, or via Plymouth, or write a wall(1) message suggesting that a password is required.
So far the whole interface was limited to system components querying for passwords, and for regular users supplying them (after polkit authorization).
With v257 this model is extended to allowing regular users to query for passwords too with this.
Basically, there are now two modes of asking for a password:
1. ask system-wide (limited to root, the pre-existing logic)
2. ask only user-wide (available for any user, the new addition).
The logic is accessible from the shell via the `systemd-ask-password` tool, which now gained the new `--user` switch for selecting the per-user scope.
The whole API is documented here btw:
https://systemd.io/PASSWORD_AGENTS
(the documentation has not been refreshed for the new v257 additions, stay tuned)