Secret Service: Difference between revisions
|  Add Secret portal section | m add discover_other_daemon log messages | ||
| Line 81: | Line 81: | ||
| This error happens when the PAM module can't find the daemon's control socket. Very likely it will start a daemon and retry the action which requires a daemon, and stop the daemon when the PAM session closes. | This error happens when the PAM module can't find the daemon's control socket. Very likely it will start a daemon and retry the action which requires a daemon, and stop the daemon when the PAM session closes. | ||
| === <code>discover_other_daemon: 0</code> with <code>--start</code> === | |||
| This error happens when a `gnome-keyring-daemon` process with the `--start` flag either could not send `GKD_CONTROL_OP_INITIALIZE` to a control socket or got a  failing result. | |||
| === <code>discover_other_daemon: 1</code> with <code>--start</code> === | |||
| This log message gets printed when a `gnome-keyring-daemon` process with the `--start` flag either successfully sent `GKD_CONTROL_OP_INITIALIZE` to a control socket. | |||
| [[Category:Desktop]] | [[Category:Desktop]] | ||
Revision as of 21:22, 5 April 2025
Secret Service is an API on D-Bus to allow applications to store secrets securely.
Providers
Secret Service has many providers. Here's a list of a few of them.
- GNOME Keyring: GNOME-integrated daemon that stores credentials
- KDE Wallet (KWallet): KDE-integrated application that stores credentials
- KeePassXC (keepassxc): A password manager with optional Secret Service integration
- pass-secret-service: D-Bus service to expose pass to Secret Service
At least GNOME Keyring provides a special collection named session, which is not persisted on disk and is deleted when the user logs out.
GNOME Keyring
Add the following to your Home Manager configuration:
services.gnome-keyring.enable = true;
home.packages = [ pkgs.gcr ]; # Provides org.gnome.keyring.SystemPrompter
OR
Add the following to your NixOS configuration:
services.gnome.gnome-keyring.enable = true;
The NixOS module sets up gnome-keyring-daemon to run as root [1], which allows GNOME Keyring to use secure memory (e.g. not swap), however this is easily mitigated by not using swap or using encrypted swap.
The NixOS module also adds the appropriate D-Bus service definitions to the session bus.
To manage credentials, you can use the Seahorse (seahorse) application.
KDE Wallet
When using KDE via services.desktopManager.plasma6.enable, KDE Wallet is enabled automatically.
KeePassXC
KeePassXC's Secret Service integration can be enabled by going into the settings, opening the Secret Service Integration tab and enabling it.
Databases needs to be configured for Secret Service integration by opening their settings, opening the Secret Service Integration tab and selecting a group for Secret Service entries.
pass-secret-service
Add the following to your Home Manager configuration:
services.pass-secret-service.enable = true;
OR
Add the following to your NixOS configuration:
services.passSecretService.enable = true;
Secret portal
Secret portals are portals in the XDG Desktop Portal specification, which allows applications to get a per-application master secret. I (axka) don't know of any applications requiring this, and to my knowledge the only provider is GNOME Keyring, which can be added to xdg.portal.extraPortals in Home Manager or NixOS. Adding gnome-keyring will also add XDG autostart definitions, but unless you have gnome-keyring installed on NixOS, they won't be enabled (i.e. /run/wrappers/bin/gnome-keyring-daemon won't work).
Auto-decrypt on login
The NixOS module for GNOME Keyring enables its PAM module automatically via security.pam.services.*.enableGnomeKeyring. The equivalent for KDE Wallet is security.pam.services.*.kwallet.enable.
Usually you want to configure the login service, but greetd, su and sshd are also available. GDM and LightDM can be configured with login, while greetd cannot (🚩︎#357201).
The login password is used to decrypt the wallet/keyring.
Troubleshooting
gkr-pam: couldn't unlock the login keyring.
This error happens when the PAM module, for some reason, can't unlock the login keyring. This may be for example because it can't connect to the daemon, which should have been started by the PAM module with the message gkr-pam: gnome-keyring-daemon started properly. Try logging out and back in or restarting.
gkr-pam: unable to locate daemon control file
This error happens when the PAM module can't find the daemon's control socket. Very likely it will start a daemon and retry the action which requires a daemon, and stop the daemon when the PAM session closes.
discover_other_daemon: 0 with --start
This error happens when a `gnome-keyring-daemon` process with the `--start` flag either could not send `GKD_CONTROL_OP_INITIALIZE` to a control socket or got a failing result.
discover_other_daemon: 1 with --start
This log message gets printed when a `gnome-keyring-daemon` process with the `--start` flag either successfully sent `GKD_CONTROL_OP_INITIALIZE` to a control socket.
