Secret Service: Difference between revisions

(2 intermediate revisions by one other user not shown)

Line 40:

=== KeePassXC ===

KeePassXC's Secret Service integration can be enabled by going into the ~~settings~~, opening the ''Secret Service Integration'' tab and enabling it.

KeePassXC's Secret Service integration can be enabled by going into the '''Tools > Settings''', opening the ''Secret Service Integration'' tab and enabling it.

~~Databases needs to~~ be configured ~~for Secret Service integration~~ by ~~opening their~~ settings, ~~opening the ''~~Secret Service Integration~~'' tab and selecting a group for Secret Service entries.~~

This can be configured automatically by [[Home Manager]] configuration:{{file|||<nowiki>

{ pkgs, ... }:

{

programs.keepassxc = {

autostart = true;

enable = true;

settings = {

# For available settings, see https://github.com/keepassxreboot/keepassxc/blob/develop/src/core/Config.cpp

FdoSecrets.Enabled = true; # Enable Secret Service Integration

};

xdg.autostart.enable = true; # Enable creation of XDG autostart entries.

}

</nowiki>|name=home.nix|lang=nix}}

Databases needs to be configured for Secret Service integration by opening their settings '''Database > Database Settings...''', opening the ''Secret Service Integration'' tab and selecting a group for Secret Service entries.

{{Warning|"Another secret service is running (...). Please stop/remove it before re-enabling the Secret Service Integration."}}

If you see a warning like above, you need to find out which other service is currently registered:<syntaxhighlight lang="shell">

busctl --user status org.freedesktop.secrets

</syntaxhighlight>If it's the Gnome Keyring Daemon, then it can be disabled by this configuration below:{{file|||<nowiki>

{ config, pkgs, lib, ... }:

{

services.gnome.gnome-keyring.enable = lib.mkForce false;

}

</nowiki>|name=/etc/nixos/configuration.nix|lang=nix}}

=== pass-secret-service ===

Line 62:

Line 87:

== Secret portal ==

'''[https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.freedesktop.portal.Secret.html Secret portals]''' are portals in the XDG Desktop Portal specification, which allows applications to get a per-application master secret. I ([[User:Axka|axka]]) don't know of any applications requiring this, and to my knowledge the only provider is GNOME Keyring, which can be added to <code>xdg.portal.extraPortals</code> in Home Manager or NixOS. Adding <code>gnome-keyring</code> will also add XDG autostart definitions, but unless you have <code>gnome-keyring</code> installed on NixOS, they won't be enabled (i.e. <code>/run/wrappers/bin/gnome-keyring-daemon</code> won't work).

'''[https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.freedesktop.portal.Secret.html Secret portals]''' are portals in the XDG Desktop Portal specification, which allows applications to get a per-application master secret. I ([[User:Axka|axka]]) don't know of any applications requiring this, and to my knowledge the only provider is GNOME Keyring, which can be added to <code>xdg.portal.extraPortals</code> in Home Manager. NixOS enables this automatically when GNOME Keyring is enabled. Adding <code>gnome-keyring</code> will also add XDG autostart definitions, but unless you have <code>gnome-keyring</code> installed on NixOS, they won't be enabled (i.e. <code>/run/wrappers/bin/gnome-keyring-daemon</code> won't work).

== Auto-decrypt on login ==

The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}. The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}.

The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}, however the Home Manager module does not and as such you should add the following code to your NixOS configuration:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

security.pam.services.login.enableGnomeKeyring = true;

</nowiki>}}

The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}.

Usually you want to configure the <code>login</code> service, but <code>greetd</code>, <code>su</code> and <code>sshd</code> are also available. GDM and LightDM can be configured with <code>login</code>, while greetd cannot ({{issue|357201}}).

Line 88:

Line 118:

=== <code>discover_other_daemon: 1</code> with <code>--start</code> ===

This log message gets printed when a <code>gnome-keyring-daemon</code> process with the <code>--start</code> flag ~~either~~ successfully sent <code>GKD_CONTROL_OP_INITIALIZE</code> to a control socket.

This log message gets printed when a <code>gnome-keyring-daemon</code> process with the <code>--start</code> flag successfully sent <code>GKD_CONTROL_OP_INITIALIZE</code> to a control socket.

[[Category:Desktop]]

@@ Line 40: / Line 40: @@
 === KeePassXC ===
-KeePassXC's Secret Service integration can be enabled by going into the settings, opening the ''Secret Service Integration'' tab and enabling it.
+KeePassXC's Secret Service integration can be enabled by going into the '''Tools > Settings''', opening the ''Secret Service Integration'' tab and enabling it.
-Databases needs to be configured for Secret Service integration by opening their settings, opening the ''Secret Service Integration'' tab and selecting a group for Secret Service entries.
+This can be configured automatically by [[Home Manager]] configuration:{{file|||<nowiki>
+{ pkgs, ... }:
+{
+  programs.keepassxc = {
+    autostart = true;
+    enable = true;
+    settings = {
+      # For available settings, see https://github.com/keepassxreboot/keepassxc/blob/develop/src/core/Config.cpp
+      FdoSecrets.Enabled = true; # Enable Secret Service Integration
+    };
+  };
-{{Expansion|Missing socket activation instructions.}}
+  xdg.autostart.enable = true; # Enable creation of XDG autostart entries.
+}
+</nowiki>|name=home.nix|lang=nix}}
+Databases needs to be configured for Secret Service integration by opening their settings '''Database > Database Settings...''', opening the ''Secret Service Integration'' tab and selecting a group for Secret Service entries.
+{{Warning|"Another secret service is running (...). Please stop/remove it before re-enabling the Secret Service Integration."}}
+If you see a warning like above, you need to find out which other service is currently registered:<syntaxhighlight lang="shell">
+busctl --user status org.freedesktop.secrets
+</syntaxhighlight>If it's the Gnome Keyring Daemon, then it can be disabled by this configuration below:{{file|||<nowiki>
+{ config, pkgs, lib, ... }:
+{
+  services.gnome.gnome-keyring.enable = lib.mkForce false;
+}
+</nowiki>|name=/etc/nixos/configuration.nix|lang=nix}}
 === pass-secret-service ===
@@ Line 62: / Line 87: @@
 == Secret portal ==
-'''[https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.freedesktop.portal.Secret.html Secret portals]''' are portals in the XDG Desktop Portal specification, which allows applications to get a per-application master secret. I ([[User:Axka|axka]]) don't know of any applications requiring this, and to my knowledge the only provider is GNOME Keyring, which can be added to <code>xdg.portal.extraPortals</code> in Home Manager or NixOS. Adding <code>gnome-keyring</code> will also add XDG autostart definitions, but unless you have <code>gnome-keyring</code> installed on NixOS, they won't be enabled (i.e. <code>/run/wrappers/bin/gnome-keyring-daemon</code> won't work).
+'''[https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.freedesktop.portal.Secret.html Secret portals]''' are portals in the XDG Desktop Portal specification, which allows applications to get a per-application master secret. I ([[User:Axka|axka]]) don't know of any applications requiring this, and to my knowledge the only provider is GNOME Keyring, which can be added to <code>xdg.portal.extraPortals</code> in Home Manager. NixOS enables this automatically when GNOME Keyring is enabled. Adding <code>gnome-keyring</code> will also add XDG autostart definitions, but unless you have <code>gnome-keyring</code> installed on NixOS, they won't be enabled (i.e. <code>/run/wrappers/bin/gnome-keyring-daemon</code> won't work).
 == Auto-decrypt on login ==
-The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}. The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}.
+The NixOS module for GNOME Keyring enables its PAM module automatically via {{nixos:option|security.pam.services.*.enableGnomeKeyring}}, however the Home Manager module does not and as such you should add the following code to your NixOS configuration:
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+security.pam.services.login.enableGnomeKeyring = true;
+</nowiki>}}
+The equivalent for KDE Wallet is {{nixos:option|security.pam.services.*.kwallet.enable}}.
 Usually you want to configure the <code>login</code> service, but <code>greetd</code>, <code>su</code> and <code>sshd</code> are also available. GDM and LightDM can be configured with <code>login</code>, while greetd cannot ({{issue|357201}}).
@@ Line 88: / Line 118: @@
 === <code>discover_other_daemon: 1</code> with <code>--start</code> ===
-This log message gets printed when a <code>gnome-keyring-daemon</code> process with the <code>--start</code> flag either successfully sent <code>GKD_CONTROL_OP_INITIALIZE</code> to a control socket.
+This log message gets printed when a <code>gnome-keyring-daemon</code> process with the <code>--start</code> flag successfully sent <code>GKD_CONTROL_OP_INITIALIZE</code> to a control socket.
 [[Category:Desktop]]