Secret Service: Difference between revisions

Secret Service is an API on D-Bus to allow applications to store secrets securely.

Secret Service has many providers. Here's a list of a few of them.

• GNOME Keyring: GNOME-integrated daemon that stores credentials
• KDE Wallet (KWallet): KDE-integrated application that stores credentials
• KeePassXC (keepassxc): A password manager with optional Secret Service integration
• pass-secret-service: D-Bus service to expose pass to Secret Service

At least GNOME Keyring provides a special collection named session, which is not persisted on disk and is deleted when the user logs out.

Add the following to your Home Manager configuration:

services.gnome-keyring.enable = true;
home.packages = [ pkgs.gcr ]; # Provides org.gnome.keyring.SystemPrompter

OR

Add the following to your NixOS configuration:

services.gnome.gnome-keyring.enable = true;

The NixOS module sets up gnome-keyring-daemon to run as root [1], which allows GNOME Keyring to use secure memory (e.g. not swap), however this is easily mitigated by not using swap or using encrypted swap.

The NixOS module also adds the appropriate D-Bus service definitions to the session bus.

To manage credentials, you can use the Seahorse (seahorse) application.

When using KDE via services.desktopManager.plasma6.enable, KDE Wallet is enabled automatically.

KeePassXC's Secret Service integration can be enabled by going into the settings, opening the Secret Service Integration tab and enabling it.

Databases needs to be configured for Secret Service integration by opening their settings, opening the Secret Service Integration tab and selecting a group for Secret Service entries.

Add the following to your Home Manager configuration:

services.pass-secret-service.enable = true;

OR

Add the following to your NixOS configuration:

services.passSecretService.enable = true;

Secret portals are portals in the XDG Desktop Portal specification, which allows applications to get a per-application master secret. I (axka) don't know of any applications requiring this, and to my knowledge the only provider is GNOME Keyring, which can be added to xdg.portal.extraPortals in Home Manager. NixOS enables this automatically when GNOME Keyring is enabled. Adding gnome-keyring will also add XDG autostart definitions, but unless you have gnome-keyring installed on NixOS, they won't be enabled (i.e. /run/wrappers/bin/gnome-keyring-daemon won't work).

The NixOS module for GNOME Keyring enables its PAM module automatically via security.pam.services.*.enableGnomeKeyring, however the Home Manager module does not and as such you should add the following code to your NixOS configuration:

security.pam.services.login.enableGnomeKeyring = true;

The equivalent for KDE Wallet is security.pam.services.*.kwallet.enable.

Usually you want to configure the login service, but greetd, su and sshd are also available. GDM and LightDM can be configured with login, while greetd cannot (🚩︎#357201).

The login password is used to decrypt the wallet/keyring.

This error happens when the PAM module, for some reason, can't unlock the login keyring. This may be for example because it can't connect to the daemon, which should have been started by the PAM module with the message gkr-pam: gnome-keyring-daemon started properly. Try logging out and back in or restarting.

This error happens when the PAM module can't find the daemon's control socket. Very likely it will start a daemon and retry the action which requires a daemon, and stop the daemon when the PAM session closes.

This error happens when a gnome-keyring-daemon process with the --start flag either could not send GKD_CONTROL_OP_INITIALIZE to a control socket or got a failing result.

This log message gets printed when a gnome-keyring-daemon process with the --start flag successfully sent GKD_CONTROL_OP_INITIALIZE to a control socket.