Secret Service
Secret Service is an API on D-Bus to allow applications to store secrets securely.
Providers
Secret Service has many providers. Here's a list of a few of them.
- GNOME Keyring: GNOME-integrated daemon that stores credentials
- KDE Wallet (KWallet): KDE-integrated application that stores credentials
- KeePassXC (
keepassxc
): A password manager with optional Secret Service integration - pass-secret-service: D-Bus service to expose pass to Secret Service
GNOME Keyring
Add the following to your Home Manager configuration:
home.nix
services.gnome-keyring.enable = true;
home.packages = [ pkgs.gcr ]; # Provides org.gnome.keyring.SystemPrompter
OR
Add the following to your NixOS configuration:
/etc/nixos/configuration.nix
services.gnome.gnome-keyring.enable = true;
The NixOS module sets up gnome-keyring-daemon
to run as root [1], which allows GNOME Keyring to use secure memory (e.g. not swap), however this is easily mitigated by not using swap or using encrypted swap.
The NixOS module also adds the appropriate D-Bus service definitions to the session bus.
To manage credentials, you can use the Seahorse (seahorse
) application.
KDE Wallet
When using KDE via services.desktopManager.plasma6.enable
, KDE Wallet is enabled automatically.
KeePassXC
KeePassXC's Secret Service integration can be enabled by going into the settings, opening the Secret Service Integration tab and enabling it.
Databases needs to be configured for Secret Service integration by opening their settings, opening the Secret Service Integration tab and selecting a group for Secret Service entries.
pass-secret-service
Add the following to your Home Manager configuration:
home.nix
services.pass-secret-service.enable = true;
OR
Add the following to your NixOS configuration:
/etc/nixos/configuration.nix
services.passSecretService.enable = true;
Auto-decrypt on login
The NixOS module for GNOME Keyring enables its PAM module automatically via security.pam.services.*.enableGnomeKeyring
. The equivalent for KDE Wallet is security.pam.services.*.kwallet.enable
.
Usually you want to configure the login
service, but greetd
, su
and sshd
are also available. GDM and LightDM can be configured with login
, while greetd cannot (#357201).
The login password is used to decrypt the wallet/keyring.