systemd v256 will have support for credentials that are encrypted at rest, locked against the system's TPM, and can be used by a per-user service (prior versions only supported it for system services).

This is a much more secure way to store credentials than git-annex's current .git/annex/creds/ which is only protected by unix permissions, and so it would make sense for git-annex to use it. It would need a way for git-annex to start a systemd user service when it needs access to a credential.

Note that GNOME/XDG desktop secret managers have work underway to support this systemd feature, so git-annex might be able to alternatively use them to access creds rather than using a systemd unit directly. --Joey