Secret Service
Secret Service is an API on D-Bus to allow applications to store secrets securely.
Providers
Secret Service has many providers. Here's a list of a few of them.
- GNOME Keyring: GNOME-integrated daemon that stores credentials
- KDE Wallet (KWallet): KDE-integrated application that stores credentials
- KeePassXC (
keepassxc): A password manager with optional Secret Service integration - pass-secret-service: D-Bus service to expose pass to Secret Service
At least GNOME Keyring provides a special collection named session, which is not persisted on disk and is deleted when the user logs out.
GNOME Keyring
Add the following to your Home Manager configuration:
home.nix
services.gnome-keyring.enable = true;
home.packages = [ pkgs.gcr ]; # Provides org.gnome.keyring.SystemPrompter
OR
Add the following to your NixOS configuration:
/etc/nixos/configuration.nix
services.gnome.gnome-keyring.enable = true;
The NixOS module sets up gnome-keyring-daemon to run as root [1], which allows GNOME Keyring to use secure memory (e.g. not swap), however this is easily mitigated by not using swap or using encrypted swap.
The NixOS module also adds the appropriate D-Bus service definitions to the session bus.
To manage credentials, you can use the Seahorse (seahorse) application.
KDE Wallet
When using KDE via services.desktopManager.plasma6.enable, KDE Wallet is enabled automatically.
 |
This article or section needs expansion.
Reason: Missing standalone usage instructions. (Discuss in Talk:Secret Service#)
Please consult the pedia article metapage for guidelines on contributing. |
KeePassXC
KeePassXC's Secret Service integration can be enabled by going into the settings, opening the Secret Service Integration tab and enabling it.
Databases needs to be configured for Secret Service integration by opening their settings, opening the Secret Service Integration tab and selecting a group for Secret Service entries.
|
This article or section needs expansion.
Reason: Missing socket activation instructions. (Discuss in Talk:Secret Service#)
Please consult the pedia article metapage for guidelines on contributing. |
pass-secret-service
Add the following to your Home Manager configuration:
home.nix
services.pass-secret-service.enable = true;
OR
Add the following to your NixOS configuration:
/etc/nixos/configuration.nix
services.passSecretService.enable = true;
Secret portal
Secret portals are portals in the XDG Desktop Portal specification, which allows applications to get a per-application master secret. I (axka) don't know of any applications requiring this, and to my knowledge the only provider is GNOME Keyring, which can be added to xdg.portal.extraPortals in Home Manager. NixOS enables this automatically when GNOME Keyring is enabled. Adding gnome-keyring will also add XDG autostart definitions, but unless you have gnome-keyring installed on NixOS, they won't be enabled (i.e. /run/wrappers/bin/gnome-keyring-daemon won't work).
Auto-decrypt on login
The NixOS module for GNOME Keyring enables its PAM module automatically via security.pam.services.*.enableGnomeKeyring, however the Home Manager module does not and as such you should add the following code to your NixOS configuration:
/etc/nixos/configuration.nix
security.pam.services.login.enableGnomeKeyring = true;
The equivalent for KDE Wallet is security.pam.services.*.kwallet.enable.
Usually you want to configure the login service, but greetd, su and sshd are also available. GDM and LightDM can be configured with login, while greetd cannot (
#357201).
The login password is used to decrypt the wallet/keyring.
Troubleshooting
gkr-pam: couldn't unlock the login keyring.
This error happens when the PAM module, for some reason, can't unlock the login keyring. This may be for example because it can't connect to the daemon, which should have been started by the PAM module with the message gkr-pam: gnome-keyring-daemon started properly. Try logging out and back in or restarting.
gkr-pam: unable to locate daemon control file
This error happens when the PAM module can't find the daemon's control socket. Very likely it will start a daemon and retry the action which requires a daemon, and stop the daemon when the PAM session closes.
discover_other_daemon: 0 with --start
This error happens when a gnome-keyring-daemon process with the --start flag either could not send GKD_CONTROL_OP_INITIALIZE to a control socket or got a failing result.
discover_other_daemon: 1 with --start
This log message gets printed when a gnome-keyring-daemon process with the --start flag successfully sent GKD_CONTROL_OP_INITIALIZE to a control socket.