Secret Service

From NixOS Wiki
Revision as of 12:48, 18 November 2024 by Axka (talk | contribs) (Create page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Secret Service is an API on D-Bus to allow applications to store secrets securely.

Providers

Secret Service has many providers. Here's a list of a few of them.

  • GNOME Keyring: GNOME-integrated application that stores credentials
  • KDE Wallet (KWallet): KDE-integrated application that stores credentials
  • KeePassXC (keepassxc): A password manager with optional Secret Service integration
  • pass-secret-service: D-Bus service to expose pass to Secret Service

GNOME Keyring

Add the following to your Home Manager configuration: 

home.nix

services.gnome-keyring.enable = true;
Note: As of 2024-11-18 the only way to add D-Bus session service definitions without defining them in Nix is in NixOS. Add the following to your NixOS system configuration to get pinentry-gnome3 working: [1] 
services.dbus.packages = [ pkgs.gcr ];

OR

Add the following to your NixOS configuration: 

/etc/nixos/configuration.nix

services.gnome.gnome-keyring.enable = true;

The NixOS module sets up gnome-keyring-daemon to run as root [2], which allows GNOME Keyring to use secure memory (e.g. not swap), however this is easily mitigated by not using swap or using encrypted swap.

The NixOS module also adds the appropriate D-Bus service definitions to the session bus.

KDE Wallet

When using KDE via services.desktopManager.plasma6.enable, KDE Wallet is enabled automatically.

KeePassXC

KeePassXC's Secret Service integration can be enabled by going into the settings, opening the Secret Service Integration tab and enabling it.

Databases needs to be configured for Secret Service integration by opening their settings, opening the Secret Service Integration tab and selecting a group for Secret Service entries.

pass-secret-service

Add the following to your Home Manager configuration: 

home.nix

services.pass-secret-service.enable = true;

OR

Add the following to your NixOS configuration: 

/etc/nixos/configuration.nix

services.passSecretService.enable = true;

Auto-decrypt on login

The NixOS module for GNOME Keyring enables its PAM module automatically via security.pam.services.*.enableGnomeKeyring. The equivalent for KDE Wallet is security.pam.services.*.kwallet.enable. Usually you want to configure the login service.

The login password is used to decrypt the wallet/keyring.

Retrieved from "https://wiki.nixos.org/w/index.php?title=Secret_Service&oldid=18755"