(In reply to Franck Bui from comment #35) > > And in this case session key are visible by all process running with the > same UID, which is not too good. > Still it is better than what we have now. > That's probably the reason why the doc says: > > Rather than relying on the user session keyring, it is strongly > recommended ���especially if the process is running as root��� that a > session-keyring(7) be set explicitly, for example by pam_keyinit(8). > You miss the point. It makes pam_keyinit mandatory without as much as giving any heads up to users (just try to search for pam_keyinit in systemd NEWS). Before this change pam_keyinit was recommended, but the whole system still worked reasonably well without it. So the actual question is whether we want to mandate pam_keyinit and risk security implications if it is missing for some reasons.