Secret Service

From NixOS Wiki

Secret Service is an API on D-Bus to allow applications to store secrets securely.

Providers

Secret Service has many providers. Here's a list of a few of them.

  • GNOME Keyring: GNOME-integrated daemon that stores credentials
  • KDE Wallet (KWallet): KDE-integrated application that stores credentials
  • KeePassXC (keepassxc): A password manager with optional Secret Service integration
  • pass-secret-service: D-Bus service to expose pass to Secret Service

GNOME Keyring

Add the following to your Home Manager configuration:

home.nix
services.gnome-keyring.enable = true;
home.packages = [ pkgs.gcr ]; # Provides org.gnome.keyring.SystemPrompter

OR

Add the following to your NixOS configuration:

/etc/nixos/configuration.nix
services.gnome.gnome-keyring.enable = true;

The NixOS module sets up gnome-keyring-daemon to run as root [1], which allows GNOME Keyring to use secure memory (e.g. not swap), however this is easily mitigated by not using swap or using encrypted swap.

The NixOS module also adds the appropriate D-Bus service definitions to the session bus.

To manage credentials, you can use the Seahorse (seahorse) application.

KDE Wallet

When using KDE via services.desktopManager.plasma6.enable, KDE Wallet is enabled automatically.

KeePassXC

KeePassXC's Secret Service integration can be enabled by going into the settings, opening the Secret Service Integration tab and enabling it.

Databases needs to be configured for Secret Service integration by opening their settings, opening the Secret Service Integration tab and selecting a group for Secret Service entries.

pass-secret-service

Add the following to your Home Manager configuration:

home.nix
services.pass-secret-service.enable = true;

OR

Add the following to your NixOS configuration:

/etc/nixos/configuration.nix
services.passSecretService.enable = true;

Auto-decrypt on login

The NixOS module for GNOME Keyring enables its PAM module automatically via security.pam.services.*.enableGnomeKeyring. The equivalent for KDE Wallet is security.pam.services.*.kwallet.enable.

Usually you want to configure the login service, but greetd, su and sshd are also available. GDM and LightDM can be configured with login, while greetd cannot (#357201).

The login password is used to decrypt the wallet/keyring.