doc: document SystemdEncrypt

src/iwd.config.rst

@@ -188,6 +188,22 @@ The group ``[General]`` contains general settings.
        by the kernel so if kernels/drivers exist which don't support OCV it can
        be disabled here.
 
+   * - SystemdEncrypt
+     - Value: Systemd key ID
+
+       Enables network profile encryption using a systemd provided secret key.
+       Once enabled all PSK/8021x network profiles will be encrypted
+       automatically. Once the profile is encrypted there is no way of going
+       back using IWD alone. A tool, **iwd-decrypt-profile**, is provided
+       assuming the secret is known which will decrypt a profile. This
+       decrypted profile could manually be set to /var/lib/iwd to 'undo' any
+       profile encryption, but its going to be a manual process.
+
+       Setting up systemd to provide the secret is left up to the user as IWD
+       has no way of performing this automatically. The systemd options
+       required are LoadCredentialEncrypted or SetCredentialEncrypted, and the
+       secret identifier should be named whatever SystemdEncrypt is set to.
+
 Network
 -------
 

src/iwd.network.rst

@@ -179,7 +179,11 @@ Network Authentication Settings
 -------------------------------
 
 The group ``[Security]`` contains settings for Wi-Fi security and
-authentication configuration.
+authentication configuration. This group can be encrypted by enabling
+``SystemdEncrypt``, see *iwd.config* for details on this option. If this
+section is encrypted (only contains EncryptedSalt/EncryptedSecurity) it should
+not be modified. Modifying these values will result in the inability to
+connect to that network.
 
 .. list-table::
    :header-rows: 0