2 files changed, 50 insertions, 1 deletions

diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
index b0b30949fb..30c987f834 100644
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@@ -743,3 +743,8 @@ Tools using the Varlink protocol (such as `varlinkctl`) or sd-bus (such as
   If unset, the default expiration of 150 seconds is used. If set to `0`, keys are
   not cached in the kernel keyring. If set to `infinity`, keys are cached without an
   expiration time in the kernel keyring.
+
+* `SYSTEMD_ASK_PASSWORD_KEYRING_TYPE` - takes a keyring ID or one of `thread`,
+  `process`, `session`, `user`, `user-session`, or `group`. Controls the kernel
+  keyring in which `systemd-ask-password` caches the queried password. Defaults
+  to `user`.
diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c
index eba647aaef..2e49096f82 100644
--- a/src/shared/ask-password-api.c
+++ b/src/shared/ask-password-api.c
@@ -44,6 +44,7 @@
 #include "random-util.h"
 #include "signal-util.h"
 #include "socket-util.h"
+#include "string-table.h"
 #include "string-util.h"
 #include "strv.h"
 #include "terminal-util.h"
@@ -54,6 +55,17 @@
 
 #define KEYRING_TIMEOUT_USEC ((5 * USEC_PER_MINUTE) / 2)
 
+static const char* keyring_table[] = {
+        [-KEY_SPEC_THREAD_KEYRING]       = "thread",
+        [-KEY_SPEC_PROCESS_KEYRING]      = "process",
+        [-KEY_SPEC_SESSION_KEYRING]      = "session",
+        [-KEY_SPEC_USER_KEYRING]         = "user",
+        [-KEY_SPEC_USER_SESSION_KEYRING] = "user-session",
+        [-KEY_SPEC_GROUP_KEYRING]        = "group",
+};
+
+DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(keyring, int);
+
 static int lookup_key(const char *keyname, key_serial_t *ret) {
         key_serial_t serial;
 
@@ -134,6 +146,38 @@ static usec_t keyring_cache_timeout(void) {
         return saved_timeout;
 }
 
+static key_serial_t keyring_cache_type(void) {
+        static key_serial_t saved_keyring = KEY_SPEC_USER_KEYRING;
+        static bool saved_keyring_set = false;
+        int r;
+
+        if (saved_keyring_set)
+                return saved_keyring;
+
+        const char *e = secure_getenv("SYSTEMD_ASK_PASSWORD_KEYRING_TYPE");
+        if (e) {
+                key_serial_t keyring;
+
+                r = safe_atoi32(e, &keyring);
+                if (r >= 0)
+                        if (keyring < 0)
+                                log_debug_errno(keyring, "Invalid value in $SYSTEMD_ASK_PASSWORD_KEYRING_TYPE, ignoring: %s", e);
+                        else
+                                saved_keyring = keyring;
+                else {
+                        keyring = keyring_from_string(e);
+                        if (keyring < 0)
+                                log_debug_errno(keyring, "Invalid value in $SYSTEMD_ASK_PASSWORD_KEYRING_TYPE, ignoring: %s", e);
+                        else
+                                saved_keyring = -keyring;
+                }
+        }
+
+        saved_keyring_set = true;
+
+        return saved_keyring;
+}
+
 static int add_to_keyring(const char *keyname, AskPasswordFlags flags, char **passwords) {
         _cleanup_strv_free_erase_ char **l = NULL;
         _cleanup_(erase_and_freep) char *p = NULL;
@@ -168,7 +212,7 @@ static int add_to_keyring(const char *keyname, AskPasswordFlags flags, char **pa
          * have multiple passwords. */
         n = LESS_BY(n, (size_t) 1);
 
-        serial = add_key("user", keyname, p, n, KEY_SPEC_USER_KEYRING);
+        serial = add_key("user", keyname, p, n, keyring_cache_type());
         if (serial == -1)
                 return -errno;