------------------------------------------------------------------------------- Gnome Keyring This is a daemon holding a encrypted data store open, so that you have access to passwords or other secrets, at least for the duration the user is logged in. For example passwords for web pages, network VPN connections, or logins on other computers. This is a more permanent store (password vault), as it is saved to disk, so can store secrets between sessions, and does not have any timeout facility for the 'secrets' being stored. The password to unlock the encrypted store is typically the users login password, though that can be bypassed by setting a empty password. It also relies on the 'dbus' interprocess communication system being active. Which is part of the gnome window manager setup, so it only works while the user is logged in. Consequently unless you are running gnome, and doing so on the console of the system, the gnome keyring can prove tricky to use. Or avoid using in some siuations! That is it does not work well when you login to/from a remote system, or from a non-gnome environment, only from a console login to a linux desktop. More info https://wiki.gnome.org/Projects/GnomeKeyring/SecurityFAQ ------------------------------------------------------------------------------- Tools seahorse GUI management of gnome keyring secret-tool CLI access via "dbus" ***installed*** RPM: libsecret gnome-keyring-cli CLI for querying passwords https://github.com/drafnel/gnome-keyring-cli Python 'keyring' module for CLI and python scripts. Some C commands.. Using libgnome-keyring library https://unix.stackexchange.com/questions/453459/ https://github.com/intika/gnome-keyring-tools The keyring itself is located in ~/.local/share/keyrings/ Often when you have troubles, many guides will say delete the file ~/.local/share/keyrings/ ------------------------------------------------------------------------------- Initialization Is key ring locked... =======8<-------- #!/bin/env python import gnomekeyring print gnomekeyring.get_info_sync(gnomekeyring.get_default_keyring_sync()).get_is_locked() =======8<-------- Unlocking the keyring on login (PAM). This does the work for ssh-agent, so your local ssh keys are unlocked. Pam Login interface (using the login password)... /etc/pam.d/{gdm-autologin,gdm-password,gdm-pin,lightdm} auth optional pam_gnome_keyring.so session optional pam_gnome_keyring.so auto_start /etc/pam.d/passwd password optional pam_gnome_keyring.so use_authtok Xinitrc ~/.xinitrc eval $(dbus-launch "--sh-syntax") eval $(gnome-keyring-daemon --start --components=pkcs11,secrets,ssh) export SSH_AUTH_SOCK Then ssh keys can be loaded using ssh-add -L or disabled ssh-add -D to permanently save the ssh key passphrase /usr/lib/seahorse/seahorse-ssh-askpass my_key Unlocking keyring manually If you can find the package "pam-keyring" echo PASSWORD | /usr/libexec/pam-keyring-tool --keyring=login -u -s Remove all existing passwords rm ~/.local/share/keyrings/login.keyring Logout and log back in (when using automatic login) OR (during startup)... echo password | /usr/libexec/pam-keyring-tool --unlock --keyring=default -s If a password is made to be blank, password will be stored unencrypted Seahorse is a good tool for gnome keyring handling. ------------------------------------------------------------------------------- Script use... Python -- Requires a module not installed by default... # Store a secret "doPAT" into the 'login' keyring... python -c "import keyring; keyring.set_password( 'login', 'doPAT', 'this_is_the_secret')" # Get the secret (within some application) python -c "import keyring; print(keyring.get_password('login', 'doPAT'))" # Get the secret as JSON (for example in terraform) python -c "import keyring,json; print(json.dumps({'secret': keyring.get_password('login', 'doPAT')}))" See Using keyring secrets in Terrafrom https://gist.github.com/emteeoh/fe24a6119375f937b79dbc5a32da2dd3 secret-tool # secret-tool store --label='English Description' {attr} {value} ... # Password: ...no-echo secret... # # secret-tool lookup {attr} {value} ... # secret-tool search [--all] {attr} {value} ... # secret-tool clear {attr} {value} ... # The attribute and values can be ANYTHING, to allow for any type of # organization and lookup mathed desired. # NOTE: newlines will be included if secret is feed in by stdin. echo -n testing | secret-tool store --label='Testing KeyRing' Anything Some_Value secret-tool search --all anything somevalue [/org/freedesktop/secrets/collection/login/23] label = Testing KeyRing secret = testing created = 2019-03-13 05:43:12 modified = 2019-03-13 05:43:12 schema = org.freedesktop.Secret.Generic attribute.Anything = Some_Value # GUI lists by the english description, # The 'Details' part will show you the lookup attribute,value pairs. # You can search on ANY of the attribute,value pairs. # BUT only the first one matched will be returned! # UNless you search with more attribute,value pairs. # # Use "secret-tool search --all" to verbosely find all matches... echo passwd | secret-tool store --label='Testing' \ server testing.com user xyzzy key password echo data | secret-tool store --label='Testing' \ server testing.com user xyzzy key secret_data secret-tool lookup server testing.com data secret-tool lookup user xyzzy data secret-tool lookup key password passwd # Clear secret-tool clear anything somevalue secret-tool clear key password secret-tool clear key secret_data Example use of "secret-tool" Network Manager Password (for VPN) Find how the VPN saves the password xing the key ring, you will need to use "seahorse" to get the "Details" of the stored information. EG: setting-key password or setting-name vpn or connection-uuid {uuid of the connection} You can then use these 'attribute,value' pairs to lookup the secret (in this case the VPN password). NOTE that more than one 'attribute,value' pairs may be needed to uniquely identify the secret. secret-tool lookup setting-key password secret-tool lookup setting-name vpn secret-tool lookup connection-uuid {uuid of connection} Or get all the info about the secret secret-tool search --all setting-name vpn Alternative, just save the password using your own 'attribute,value' pair, and look it up as needed. secret-tool store --label='vpn' VPN this_vpn Convert password into a password file and pass it to the VPN startup... printf "vpn.secrets.cert-pass:$(secret-tool lookup VPN this_vpn)" /usr/bin/nmcli connect up {connection} passwd-file /dev/fd/0 Other... # Using... https://launchpad.net/gkeyring # retrieve # server, protocol, username gkeyring.py get -s myserver.com -p ftp -u user -------------------------------------------------------------------------------