I thought this through (specifically systemd support) and made a deliberate choice not to support it. I'm running in a `screen` session. It's been working like that for me for a month, and this is what I recommend.

But I hadn't heard of "systemd-ask-password" before, and I'm still not sure how to do it or if it does what I expect.

The attack surface of knox is filesystem access and direct memory access. To protect against filesystem access, the user must enter a password every time knox starts. If you store the password in plaintext on the filesystem, you have negated the FS security because an attacker who gains access to the filesystem can now access both the file and the secret. It's similar to not using encryption at all.

It doesn't need systemd. It should never crash. Having to manually restart start it again if the whole server restarts is a small price to pay for security. But it would be nice if it could integrate with systemctl and journalctl. So how does systemd-ask-password work? Does it save the password in plaintext, or does it prompt you?