diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index f01599f656..d4dc2843ec 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -631,8 +631,8 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
         processes. In this modes multiple units running processes under the same user ID may share key material. Unless
         <option>inherit</option> is selected the unique invocation ID for the unit (see below) is added as a protected
         key by the name <literal>invocation_id</literal> to the newly created session keyring. Defaults to
-        <option>private</option> for the system service manager and to <option>inherit</option> for the user service
-        manager.</para></listitem>
+        <option>private</option> for services of the system service manager and to <option>inherit</option> for
+        non-service units and for services of the user service manager.</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/src/core/service.c b/src/core/service.c
index f2d4333719..1997c82ac3 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -120,6 +120,9 @@ static void service_init(Unit *u) {
         s->guess_main_pid = true;
 
         s->control_command_id = _SERVICE_EXEC_COMMAND_INVALID;
+
+        s->exec_context.keyring_mode = MANAGER_IS_SYSTEM(u->manager) ?
+                EXEC_KEYRING_PRIVATE : EXEC_KEYRING_INHERIT;
 }
 
 static void service_unwatch_control_pid(Service *s) {
diff --git a/src/core/unit.c b/src/core/unit.c
index 0d0f10f5f7..8c0e157a90 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -186,7 +186,7 @@ static void unit_init(Unit *u) {
                 exec_context_init(ec);
 
                 ec->keyring_mode = MANAGER_IS_SYSTEM(u->manager) ?
-                        EXEC_KEYRING_PRIVATE : EXEC_KEYRING_INHERIT;
+                        EXEC_KEYRING_SHARED : EXEC_KEYRING_INHERIT;
         }
 
         kc = unit_get_kill_context(u);