systemd-ask-password is a small utility from systemd that asks the user for a password or secret via the current terminal or an agent. It’s handy when a script or service needs a password without exposing it in logs or environments.

Basic usage

• Query a password with a custom prompt:

systemd-ask-password "Enter your password:"

This prints nothing to stdout by default and returns the password on stdout when run in a pipeline or script that can capture it.

Useful options

• Specify an identifier for the password query:

systemd-ask-password --id my-service "Enter password for my-service:"

Identifiers help correlate multiple prompts or cancel flows in complex scripts.

• Use a kernel keyring cache for the password:

systemd-ask-password --keyname my-service-key "Enter password for my-service:"

The entered password is stored in the kernel keyring under the given key name for reuse.

• Set a custom timeout (in seconds):

systemd-ask-password --timeout 30 "Enter your password:"

If the user doesn’t respond within the timeout, the command exits with a non-zero status.

• Force the use of an agent system and never ask on the current TTY:

systemd-ask-password --no-tty "Enter password:"

This prevents prompts on the current terminal and relies on an existing agent.

• Store a password in the kernel keyring without displaying it:

systemd-ask-password --no-output --keyname my-service-key "Enter password:"

This hides the entered password from any accidental terminal echo.

• Pass the asked password to another program:

systemd-ask-password | some-command

The password is written to stdout and can be consumed by another process.

• Display help:

systemd-ask-password --help

Common pitfalls

• Output capture: If you directly run systemd-ask-password in a script without capturing stdout, you might not get the password. Use command substitution or capture in a variable, e.g. pw=$(systemd-ask-password "Prompt:").
• Terminal vs. agent: If you rely on an interactive TTY, ensure the process has terminal access. If using —no-tty, you must have an agent available.
• Security: Avoid exposing passwords in shell history or logs. Prefer —no-output when storing in keyrings or when piping to other commands that do not require visible secrets.
• Timeouts: When setting —timeout, consider user latency and potential automation environments where prompts must fail gracefully.

Quick examples

• Prompt with an ID and timeout, then reuse the password:

systemd-ask-password --id deploy-tool --timeout 60 --keyname deploy-key "Enter password for deployment:"

• Use as part of a script to unlock a service and run a command:

pw=$(systemd-ask-password --id unlock-service "Unlock service password:")
if [ -n "$pw" ]; then
  echo "$pw" | some-service --unlock
fi

When to use systemd-ask-password

• When a daemon or long-running script needs a secret at runtime without embedding it in scripts.
• When you want to leverage the kernel keyring for caching secret data securely.
• When you need a straightforward, POSIX-friendly interface to ask for user input with optional features like timeouts and TTY control.

Alternatives and related tools

• gnome-keyring or kdewallet for GUI password prompts (not suitable for non-GUI or headless servers).
• ssh-agent or gpg-agent for cryptographic keys and passphrase caching.
• tldr for quick command references (you may see a note like: update needed).

See Also

• plasma-apply-colorscheme: Quick Guide
• How to Master the playerctl Command for Seamless Media Control
• How to Use the mv Command in Linux
• How to Use the cd Command in Linux
• ip6tables-restore: Restore IPv6 firewall rules
• How to Use the apt Command for Package Management