Secret Service: Difference between revisions
Add list of PAM services |
mNo edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 17: | Line 17: | ||
</nowiki>}} | </nowiki>}} | ||
{{Note|As of 2024-11-18 the only way to add D-Bus session service definitions without defining them in Nix is in NixOS. Add the following to your NixOS system configuration to | {{Note|As of 2024-11-18 the only way to add D-Bus session service definitions without defining them in Nix is in NixOS. Add the following to your NixOS system configuration to fix GNOME Keyring's password prompter: [https://rycee.gitlab.io/home-manager/options.xhtml#opt-services.gpg-agent.pinentryPackage] | ||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
services.dbus.packages = [ pkgs.gcr ]; | services.dbus.packages = [ pkgs.gcr ]; | ||
| Line 70: | Line 70: | ||
The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}. The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}. | The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}. The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}. | ||
Usually you want to configure the <code>login</code> service, but <code>greetd</code> and <code>sshd</code> are also available. GDM and LightDM can be configured with <code>login</code>, while greetd cannot ({{issue|357201}}). | Usually you want to configure the <code>login</code> service, but <code>greetd</code>, <code>su</code> and <code>sshd</code> are also available. GDM and LightDM can be configured with <code>login</code>, while greetd cannot ({{issue|357201}}). | ||
The login password is used to decrypt the wallet/keyring. | The login password is used to decrypt the wallet/keyring. | ||
[[Category:Desktop]] | [[Category:Desktop]] | ||
Latest revision as of 14:18, 19 November 2024
Secret Service is an API on D-Bus to allow applications to store secrets securely.
Providers
Secret Service has many providers. Here's a list of a few of them.
- GNOME Keyring: GNOME-integrated daemon that stores credentials
- KDE Wallet (KWallet): KDE-integrated application that stores credentials
- KeePassXC (
keepassxc): A password manager with optional Secret Service integration - pass-secret-service: D-Bus service to expose pass to Secret Service
GNOME Keyring
Add the following to your Home Manager configuration:
home.nix
services.gnome-keyring.enable = true;
OR
Add the following to your NixOS configuration:
/etc/nixos/configuration.nix
services.gnome.gnome-keyring.enable = true;
The NixOS module sets up gnome-keyring-daemon to run as root [2], which allows GNOME Keyring to use secure memory (e.g. not swap), however this is easily mitigated by not using swap or using encrypted swap.
The NixOS module also adds the appropriate D-Bus service definitions to the session bus.
To manage credentials, you can use the Seahorse (seahorse) application.
KDE Wallet
When using KDE via services.desktopManager.plasma6.enable, KDE Wallet is enabled automatically.
 |
This article or section needs expansion.
Reason: Missing standalone usage instructions. (Discuss in Talk:Secret Service#)
Please consult the pedia article metapage for guidelines on contributing. |
KeePassXC
KeePassXC's Secret Service integration can be enabled by going into the settings, opening the Secret Service Integration tab and enabling it.
Databases needs to be configured for Secret Service integration by opening their settings, opening the Secret Service Integration tab and selecting a group for Secret Service entries.
|
This article or section needs expansion.
Reason: Missing socket activation instructions. (Discuss in Talk:Secret Service#)
Please consult the pedia article metapage for guidelines on contributing. |
pass-secret-service
Add the following to your Home Manager configuration:
home.nix
services.pass-secret-service.enable = true;
OR
Add the following to your NixOS configuration:
/etc/nixos/configuration.nix
services.passSecretService.enable = true;
Auto-decrypt on login
The NixOS module for GNOME Keyring enables its PAM module automatically via security.pam.services.*.enableGnomeKeyring. The equivalent for KDE Wallet is security.pam.services.*.kwallet.enable.
Usually you want to configure the login service, but greetd, su and sshd are also available. GDM and LightDM can be configured with login, while greetd cannot (
#357201).
The login password is used to decrypt the wallet/keyring.