openssl: add helper to load key from provider/engine

It's not the literal private key, but EVP_PKEY becomes a reference
to the engine/provider that OpenSSL knows how to use later

1 files changed, 8 insertions, 0 deletions

diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
index 7f59dcae71..6fa82d7177 100644
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@@ -129,6 +129,14 @@ All tools:
 * `$SYSTEMD_VERITY_SHARING=0` — if set, sharing dm-verity devices by
   using a stable `<ROOTHASH>-verity` device mapper name will be disabled.
 
+* `$SYSTEMD_OPENSSL_KEY_LOADER`— when using OpenSSL to load a key via an engine
+  or a provider, can be used to force the usage of one or the other interface.
+  Set to 'engine' to force the usage of the old engine API, and to 'provider'
+  force the usage of the new provider API. If unset, the provider will be tried
+  first and the engine as a fallback if that fails. Providers are the new OpenSSL
+  3 API, but there are very few if any in a production-ready state, so engines
+  are still needed.
+
 `systemctl`:
 
 * `$SYSTEMCTL_FORCE_BUS=1` — if set, do not connect to PID 1's private D-Bus