glenneth1 · moshhh · Jan 13, 2026 · Jan 13, 2026 · Feb 3, 2026
diff --git a/README.org b/README.org
@@ -190,9 +190,9 @@ machine irc.libera.chat login yournick password your-secret-password
 
 CLatter will decrypt the file using GPG and look up the password by matching the server and nick.
 
-**** systemd-creds (encrypted with TPM/host key)
+**** systemd-creds (encrypted with TPM and/or host key)
 
-Use =systemd-creds= to create a system credential to encrypt your password. This ties the credential to your machine and doesn't require GPG. This requires root privlages.
+Use =systemd-creds= to create a SYSTEM credential to encrypt your password. This ties the credential to your machine and doesn't require GPG. This *requires* root privilages.
 
 1. Create the encrypted credential:
    #+begin_src bash
@@ -204,11 +204,27 @@ Use =systemd-creds= to create a system credential to encrypt your password. This
 
 2. Update your config:
    #+begin_src lisp
-   :nickserv-pw (:systemd-cred "/home/you/.config/clatter/creds/nickserv.cred")
+   :nickserv-pw (:systemd-creds "/home/you/.config/clatter/creds/nickserv.cred")
    #+end_src
 
 CLatter will decrypt the credential file at startup using =systemd-creds decrypt=.
 
+**** systemd-creds --user (encrypted with TPM and/or host key)
+
+Use =systemd-creds= with the =--user switch= to create a USER credential to encrypt your password. This ties the credential to your machine and doesn't require GPG. This *does not* require root privilages.
+
+1. Create the encrypted credential:
+   #+begin_src bash
+   mkdir -p ~/.config/clatter/creds
+   read -s -p "Enter NickServ password: " pw && echo -n "$pw" | \
+     systemd-creds encrypt --user - ~/.config/clatter/creds/nickserv.cred && \
+     echo -e "\nCredential saved"
+   #+end_src
+
+2. Update your config:
+   #+begin_src lisp
+   :nickserv-pw (:systemd-creds-user "/home/you/.config/clatter/creds/nickserv.cred")
+   #+end_src
 
 **** pass(1) (GPG encrypted)
 Use =pass(1)= the standard unix password manager, to store and encrypt your password. This works using GPG and the credential is portable. 

diff --git a/src/core/config.lisp b/src/core/config.lisp
@@ -240,7 +240,8 @@ Returns plist with :login and :password, or nil if not found."
                          (string-equal (getf entry :login) login)))
             (return entry)))))))
 
-(defun read-systemd-cred (path)
+;; systemd-creds support for reading from a SYSTEM credential.
+(defun read-systemd-creds (path)
   "Decrypt a systemd-creds encrypted file and return its contents."
   (handler-case
       (string-trim '(#\Space #\Newline #\Return)
@@ -249,6 +250,18 @@ Returns plist with :login and :password, or nil if not found."
                                        :output out
                                        :error-output nil)))
     (error () nil)))
+
+;; systemd-creds support for reading from a USER credential.
+(defun read-systemd-creds-user (path)
+  "Decrypt a systemd-creds encrypted file with the --user switch and return its contents."
+  (handler-case
+     (string-trim '(#\Space #\Newline #\Return)
+                  (with-output-to-string (out)
+                    (uiop:run-program (list "systemd-creds" "--user" "decrypt" path "-")
+			              :output out
+                                      :error-output nil)))
+   (error () nil)))
+;; pass(1) support for reading from a credential stored in a .gpg file.
 (defun read-password-store (password-name)
   "Resolve a password value from pass(1)"
   (handler-case
@@ -263,6 +276,7 @@ Returns plist with :login and :password, or nil if not found."
   "Resolve a password value that may be:
    - :authinfo - read from ~/.authinfo or ~/.authinfo.gpg (requires server/nick)
    - (:systemd-creds \"/path/to/file.cred\") - decrypt using a system credential with systemd-creds
+   - (:systemd-creds-user \"/path/to/file.cred\") - decrypt using a user credential with systemd-creds
    - (:pass password-name) - decrypt using pass(1)
    - plain string - use directly
    - nil - no password"
@@ -273,13 +287,19 @@ Returns plist with :login and :password, or nil if not found."
        (let ((entry (lookup-authinfo server nick)))
          (getf entry :password))))
 
-    ;; (:systemd-cred "/path/to/file.cred") - decrypt using systemd-creds
+    ;; (:systemd-creds "/path/to/file.cred") - decrypt using systemd-creds (root privilages required)
     ((and (listp pw) (eq (first pw) :systemd-creds))
      (let ((cred-path (second pw)))
        (when cred-path
-         (read-systemd-cred cred-path))))
+         (read-systemd-creds cred-path))))
+
+    ;; (:systemd-creds-user "/path/to/file.cred") - decrypt using systemd-creds --user (no root privilages required)
+    ((and (listp pw) (eq (first pw) :systemd-creds-user))
+     (let ((cred-path (second pw)))
+       (when cred-path
+          (read-systemd-creds-user cred-path))))
 
-    ;; (:pass "password-name") - decrypt using pass(1)
+    ;; (:pass "password-name") - decrypt using pass(1) - gpg and pinentry required. 
     ((and (listp pw) (eq (first pw) :pass))
      (let ((password-name (second pw)))
        (when password-name