Secret Service: Difference between revisions

(5 intermediate revisions by the same user not shown)

Line 1:

[https://specifications.freedesktop.org/secret-service-spec/latest/ Secret Service] is an API on D-Bus to allow applications to store secrets securely.

'''[https://specifications.freedesktop.org/secret-service-spec/latest/ Secret Service]''' is an API on D-Bus to allow applications to store secrets securely.

== Providers ==

Line 60:

services.passSecretService.enable = true;

</nowiki>}}

== Secret portal ==

'''[https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.freedesktop.portal.Secret.html Secret portals]''' are portals in the XDG Desktop Portal specification, which allows applications to get a per-application master secret. I ([[User:Axka|axka]]) don't know of any applications requiring this, and to my knowledge the only provider is GNOME Keyring, which can be added to <code>xdg.portal.extraPortals</code> in Home Manager. NixOS enables this automatically when GNOME Keyring is enabled. Adding <code>gnome-keyring</code> will also add XDG autostart definitions, but unless you have <code>gnome-keyring</code> installed on NixOS, they won't be enabled (i.e. <code>/run/wrappers/bin/gnome-keyring-daemon</code> won't work).

== Auto-decrypt on login ==

The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}. The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}.

The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}, however the Home Manager module does not and as such you should add the following code to your NixOS configuration:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

security.pam.services.login.enableGnomeKeyring = true;

</nowiki>}}

The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}.

Usually you want to configure the <code>login</code> service, but <code>greetd</code>, <code>su</code> and <code>sshd</code> are also available. GDM and LightDM can be configured with <code>login</code>, while greetd cannot ({{issue|357201}}).

Line 72:

Line 80:

=== <code>gkr-pam: couldn't unlock the login keyring.</code> ===

This error happens when the PAM module, for some reason, can't unlock the login keyring. This may be for example because it can't connect to the daemon, which should have been started by the PAM module with the message <code>gkr-pam: gnome-keyring-daemon started properly</code>.

This error happens when the PAM module, for some reason, can't unlock the login keyring. This may be for example because it can't connect to the daemon, which should have been started by the PAM module with the message <code>gkr-pam: gnome-keyring-daemon started properly</code>. Try logging out and back in or restarting.

=== <code>gkr-pam: unable to locate daemon control file</code> ===

This error happens when the PAM module can't find the daemon's control socket. Very likely it will start a daemon and retry the action which requires a daemon, and stop the daemon when the PAM session closes.

=== <code>discover_other_daemon: 0</code> with <code>--start</code> ===

This error happens when a <code>gnome-keyring-daemon</code> process with the <code>--start</code> flag either could not send <code>GKD_CONTROL_OP_INITIALIZE</code> to a control socket or got a failing result.

=== <code>discover_other_daemon: 1</code> with <code>--start</code> ===

This log message gets printed when a <code>gnome-keyring-daemon</code> process with the <code>--start</code> flag successfully sent <code>GKD_CONTROL_OP_INITIALIZE</code> to a control socket.

[[Category:Desktop]]

@@ Line 1: / Line 1: @@
-[https://specifications.freedesktop.org/secret-service-spec/latest/ Secret Service] is an API on D-Bus to allow applications to store secrets securely.
+'''[https://specifications.freedesktop.org/secret-service-spec/latest/ Secret Service]''' is an API on D-Bus to allow applications to store secrets securely.
 == Providers ==
@@ Line 60: / Line 60: @@
 services.passSecretService.enable = true;
 </nowiki>}}
+== Secret portal ==
+'''[https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.freedesktop.portal.Secret.html Secret portals]''' are portals in the XDG Desktop Portal specification, which allows applications to get a per-application master secret. I ([[User:Axka|axka]]) don't know of any applications requiring this, and to my knowledge the only provider is GNOME Keyring, which can be added to <code>xdg.portal.extraPortals</code> in Home Manager. NixOS enables this automatically when GNOME Keyring is enabled. Adding <code>gnome-keyring</code> will also add XDG autostart definitions, but unless you have <code>gnome-keyring</code> installed on NixOS, they won't be enabled (i.e. <code>/run/wrappers/bin/gnome-keyring-daemon</code> won't work).
 == Auto-decrypt on login ==
-The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}. The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}.
+The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}, however the Home Manager module does not and as such you should add the following code to your NixOS configuration:
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+security.pam.services.login.enableGnomeKeyring = true;
+</nowiki>}}
+The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}.
 Usually you want to configure the <code>login</code> service, but <code>greetd</code>, <code>su</code> and <code>sshd</code> are also available. GDM and LightDM can be configured with <code>login</code>, while greetd cannot ({{issue|357201}}).
@@ Line 72: / Line 80: @@
 === <code>gkr-pam: couldn't unlock the login keyring.</code> ===
-This error happens when the PAM module, for some reason, can't unlock the login keyring. This may be for example because it can't connect to the daemon, which should have been started by the PAM module with the message <code>gkr-pam: gnome-keyring-daemon started properly</code>.
+This error happens when the PAM module, for some reason, can't unlock the login keyring. This may be for example because it can't connect to the daemon, which should have been started by the PAM module with the message <code>gkr-pam: gnome-keyring-daemon started properly</code>. Try logging out and back in or restarting.
+=== <code>gkr-pam: unable to locate daemon control file</code> ===
+This error happens when the PAM module can't find the daemon's control socket. Very likely it will start a daemon and retry the action which requires a daemon, and stop the daemon when the PAM session closes.
+=== <code>discover_other_daemon: 0</code> with <code>--start</code> ===
+This error happens when a <code>gnome-keyring-daemon</code> process with the <code>--start</code> flag either could not send <code>GKD_CONTROL_OP_INITIALIZE</code> to a control socket or got a failing result.
+=== <code>discover_other_daemon: 1</code> with <code>--start</code> ===
+This log message gets printed when a <code>gnome-keyring-daemon</code> process with the <code>--start</code> flag successfully sent <code>GKD_CONTROL_OP_INITIALIZE</code> to a control socket.
 [[Category:Desktop]]