systemd-creds driver for secrets management

[jonas-hagen]

The very powerful integration of podman and systemd via quadlets makes systemd-creds (also see here) the obvious choice for secure secrets management.

This is not easily possible with one of the current drivers (file, shell, pass) and a new systemd secrets driver would be highly appreciated. The driver would:

• Store encrypted credential files in a directory on the host using systemd-creds
• Add a LoadCredentialEncrypted= directive upon systemd unit generation for every secret requested in a quadlet Secret= directive

There are workarounds to make it work with the shell driver. One of them looks like below. Unfortunately one has to put the SECRET_ID in the container quadlet file, which has to be extracted from /var/lib/containers/storage/secrets/secrets.json after creation of the secret with podman.

/etc/containers/containers.conf :

[secrets]
driver = "shell"

[secrets.opts]
# list and lookup only works in service context where $CREDENTIALS_DIRECTORY is set
list = "/usr/bin/ls $CREDENTIALS_DIRECTORY" 
lookup = "/usr/bin/cat $CREDENTIALS_DIRECTORY/$SECRET_ID"

# store and delete only works in host context where /etc/containers/secrets is available
store = "systemd-creds --name=$SECRET_ID encrypt - /etc/containers/secrets/$SECRET_ID.cred" 
delete = "rm /etc/containers/secrets/$SECRET_ID.cred"

/etc/containers/systemd/printenv.container

[Unit]
Description=Test container

[Service]
LoadCredentialEncrypted=4494b6510222c8b856834c8cb:/etc/containers/secrets/4494b6510222c8b856834c8cb.cred

[Container]
Image=alpine:latest
Secret=foobar,type=env,target=FOOBAR_SECRET
Exec=env

/var/lib/containers/storage/secrets/secrets.json (created by podman)

{
  "secrets": {
    "4494b6510222c8b856834c8cb": {
      "name": "foobar",
      "id": "4494b6510222c8b856834c8cb",
      "createdAt": "2025-08-06T16:49:45.901741684+02:00",
      "updatedAt": "2025-08-06T16:49:45.901741684+02:00",
      "driver": "shell",
      "driverOptions": {
        "delete": "rm /etc/containers/secrets/$SECRET_ID.cred",
        "list": "/usr/bin/ls $CREDENTIALS_DIRECTORY",
        "lookup": "/usr/bin/cat $CREDENTIALS_DIRECTORY/$SECRET_ID",
        "store": "systemd-creds --name=$SECRET_ID encrypt - /etc/containers/secrets/$SECRET_ID.cred"
      }
    }
  },
  "nameToID": {
    "foobar": "4494b6510222c8b856834c8cb"
  },
  "idToName": {
    "4494b6510222c8b856834c8cb": "foobar"
  }
}

/var/lib/containers/storage/secrets/ would possibly be used instead of /etc/containers/secrets/.