Secret Service: Difference between revisions

(10 intermediate revisions by the same user not shown)

Line 1:

[https://specifications.freedesktop.org/secret-service-spec/latest/ Secret Service] is an API on D-Bus to allow applications to store secrets securely.

'''[https://specifications.freedesktop.org/secret-service-spec/latest/ Secret Service]''' is an API on D-Bus to allow applications to store secrets securely.

== Providers ==

Line 9:

* KeePassXC ({{nixos:package|keepassxc}}): A password manager with optional Secret Service integration

* pass-secret-service: D-Bus service to expose [https://www.passwordstore.org/ pass] to Secret Service

At least GNOME Keyring provides a special collection named <code>session</code>, which is not persisted on disk and is deleted when the user logs out.

=== GNOME Keyring ===

Line 15:

Line 17:

{{file|home.nix|nix|<nowiki>

services.gnome-keyring.enable = true;

~~</nowiki>}}~~

home.packages = [ pkgs.gcr ]; # Provides org.gnome.keyring.SystemPrompter

</nowiki>}}OR

{{Note|As of 2024-11-18 the only way to add D-Bus session service definitions without defining them in Nix is in NixOS. Add the following to your NixOS system configuration to get <code>pinentry-gnome3</code> working: [https://rycee.gitlab.io/home~~-manager/options.xhtml#opt-services.gpg-agent.pinentryPackage]~~

~~<syntaxhighlight lang="nix">~~

~~services.dbus~~.packages = [ pkgs.gcr ];

</~~syntaxhighlight~~>

}}

OR

Add the following to your NixOS configuration:

Line 65:

Line 60:

services.passSecretService.enable = true;

</nowiki>}}

== Secret portal ==

'''[https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.freedesktop.portal.Secret.html Secret portals]''' are portals in the XDG Desktop Portal specification, which allows applications to get a per-application master secret. I ([[User:Axka|axka]]) don't know of any applications requiring this, and to my knowledge the only provider is GNOME Keyring, which can be added to <code>xdg.portal.extraPortals</code> in Home Manager. NixOS enables this automatically when GNOME Keyring is enabled. Adding <code>gnome-keyring</code> will also add XDG autostart definitions, but unless you have <code>gnome-keyring</code> installed on NixOS, they won't be enabled (i.e. <code>/run/wrappers/bin/gnome-keyring-daemon</code> won't work).

== Auto-decrypt on login ==

The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}. The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}.

The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}, however the Home Manager module does not and as such you should add the following code to your NixOS configuration:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

security.pam.services.login.enableGnomeKeyring = true;

</nowiki>}}

The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}.

Usually you want to configure the <code>login</code> service, but <code>greetd</code> and <code>sshd</code> are also available. GDM and LightDM can be configured with <code>login</code>, while greetd cannot ({{issue|357201}}).

Usually you want to configure the <code>login</code> service, but <code>greetd</code>, <code>su</code> and <code>sshd</code> are also available. GDM and LightDM can be configured with <code>login</code>, while greetd cannot ({{issue|357201}}).

The login password is used to decrypt the wallet/keyring.

== Troubleshooting ==

=== <code>gkr-pam: couldn't unlock the login keyring.</code> ===

This error happens when the PAM module, for some reason, can't unlock the login keyring. This may be for example because it can't connect to the daemon, which should have been started by the PAM module with the message <code>gkr-pam: gnome-keyring-daemon started properly</code>. Try logging out and back in or restarting.

=== <code>gkr-pam: unable to locate daemon control file</code> ===

This error happens when the PAM module can't find the daemon's control socket. Very likely it will start a daemon and retry the action which requires a daemon, and stop the daemon when the PAM session closes.

=== <code>discover_other_daemon: 0</code> with <code>--start</code> ===

This error happens when a <code>gnome-keyring-daemon</code> process with the <code>--start</code> flag either could not send <code>GKD_CONTROL_OP_INITIALIZE</code> to a control socket or got a failing result.

=== <code>discover_other_daemon: 1</code> with <code>--start</code> ===

This log message gets printed when a <code>gnome-keyring-daemon</code> process with the <code>--start</code> flag successfully sent <code>GKD_CONTROL_OP_INITIALIZE</code> to a control socket.

[[Category:Desktop]]

@@ Line 1: / Line 1: @@
-[https://specifications.freedesktop.org/secret-service-spec/latest/ Secret Service] is an API on D-Bus to allow applications to store secrets securely.
+'''[https://specifications.freedesktop.org/secret-service-spec/latest/ Secret Service]''' is an API on D-Bus to allow applications to store secrets securely.
 == Providers ==
@@ Line 9: / Line 9: @@
 * KeePassXC ({{nixos:package|keepassxc}}): A password manager with optional Secret Service integration
 * pass-secret-service: D-Bus service to expose [https://www.passwordstore.org/ pass] to Secret Service
+At least GNOME Keyring provides a special collection named <code>session</code>, which is not persisted on disk and is deleted when the user logs out.
 === GNOME Keyring ===
@@ Line 15: / Line 17: @@
 {{file|home.nix|nix|<nowiki>
 services.gnome-keyring.enable = true;
-</nowiki>}}
+home.packages = [ pkgs.gcr ]; # Provides org.gnome.keyring.SystemPrompter
+</nowiki>}}OR
-{{Note|As of 2024-11-18 the only way to add D-Bus session service definitions without defining them in Nix is in NixOS. Add the following to your NixOS system configuration to get <code>pinentry-gnome3</code> working: [https://rycee.gitlab.io/home-manager/options.xhtml#opt-services.gpg-agent.pinentryPackage]
-<syntaxhighlight lang="nix">
-services.dbus.packages = [ pkgs.gcr ];
-</syntaxhighlight>
-}}
-OR
 Add the following to your NixOS configuration:
@@ Line 65: / Line 60: @@
 services.passSecretService.enable = true;
 </nowiki>}}
+== Secret portal ==
+'''[https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.freedesktop.portal.Secret.html Secret portals]''' are portals in the XDG Desktop Portal specification, which allows applications to get a per-application master secret. I ([[User:Axka|axka]]) don't know of any applications requiring this, and to my knowledge the only provider is GNOME Keyring, which can be added to <code>xdg.portal.extraPortals</code> in Home Manager. NixOS enables this automatically when GNOME Keyring is enabled. Adding <code>gnome-keyring</code> will also add XDG autostart definitions, but unless you have <code>gnome-keyring</code> installed on NixOS, they won't be enabled (i.e. <code>/run/wrappers/bin/gnome-keyring-daemon</code> won't work).
 == Auto-decrypt on login ==
-The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}. The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}.
+The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}, however the Home Manager module does not and as such you should add the following code to your NixOS configuration:
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+security.pam.services.login.enableGnomeKeyring = true;
+</nowiki>}}
+The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}.
-Usually you want to configure the <code>login</code> service, but <code>greetd</code> and <code>sshd</code> are also available. GDM and LightDM can be configured with <code>login</code>, while greetd cannot ({{issue|357201}}).
+Usually you want to configure the <code>login</code> service, but <code>greetd</code>, <code>su</code> and <code>sshd</code> are also available. GDM and LightDM can be configured with <code>login</code>, while greetd cannot ({{issue|357201}}).
 The login password is used to decrypt the wallet/keyring.
+== Troubleshooting ==
+=== <code>gkr-pam: couldn't unlock the login keyring.</code> ===
+This error happens when the PAM module, for some reason, can't unlock the login keyring. This may be for example because it can't connect to the daemon, which should have been started by the PAM module with the message <code>gkr-pam: gnome-keyring-daemon started properly</code>. Try logging out and back in or restarting.
+=== <code>gkr-pam: unable to locate daemon control file</code> ===
+This error happens when the PAM module can't find the daemon's control socket. Very likely it will start a daemon and retry the action which requires a daemon, and stop the daemon when the PAM session closes.
+=== <code>discover_other_daemon: 0</code> with <code>--start</code> ===
+This error happens when a <code>gnome-keyring-daemon</code> process with the <code>--start</code> flag either could not send <code>GKD_CONTROL_OP_INITIALIZE</code> to a control socket or got a failing result.
+=== <code>discover_other_daemon: 1</code> with <code>--start</code> ===
+This log message gets printed when a <code>gnome-keyring-daemon</code> process with the <code>--start</code> flag successfully sent <code>GKD_CONTROL_OP_INITIALIZE</code> to a control socket.
 [[Category:Desktop]]