------------------------------------------------------------------------------- Caching Passwords Basically holding a password in a keyring or memory between invocations of a command so that it can be used again. Examples... Running a task needing a password multiple times in a very short space of time, can get very annoying for the user to have to re-type the password. Better to cache it for a short period of time, so as not to re-ask all the time. Usage Examples... * The "sudo" command. This caches the 'credential' (user had verified themselves) rather than the password itself. That way another sudo command in the next 5 minutes does not require the user to type their password again. See "timestamp_type" in man 5 sudoers, for details. * During system start up where you may have multiple encrypted disk drives, and web services needing passwords to decrypt private security keys, or databases. However you don't want such passwords stored on the file system and only for a few minutes while the system starts up. The "systemd" system (and its "systemd-ask-password" command) gets around this by caching the password in the "Linux Kernel Keyring", for a limited time, in kernel memory only. So once a a time interval has passed, or the system is powered off, the password automatically gone. * User logins often need a whole host of different passwords over multiple sessions, for things like WiFi, VPN network passwords, SSH account passwords, or passwords for encrypted databases. These passwords need to be remembered between sessions, so must be stored securely on disk. "Gnome Keyring" provides an encrypted storage of such passwords, in process memory, while the user is logged in. It does not however offer a good means for limited time, temporary passwords. * When editing an encrypted file you would generally want to cache a password for a short period of time but only for the duration of editing the file. A password entered to decrypt the file (which verifies the password), and by caching it, the editor can then re-encrypt the file with the same password as needed, without needing to ask the user for the password. Re-asking for the password many times in this way is not only very annoying, but also error prone, as it is very easy for the user to miss-type the wrong password (even if asked twice due to bad 'finger memory'), then they will be unable to decrypt the file. Passwords need to be held securely while the file is being edited, for a limited time. There are also many many remote password caching (manager) services, particularly for the myriad of web pages and services. These provide a permanent secure store of password, not just for one machine but multiple machines, and devices, like desktops, laptops, phones, pads, etc.. Services such as "LastPass", "Dashlane" "1Password", "NordPass" etc.. Though these are for long term 'account' passwords, and not short term caching, thus are generally known as "password managers", rather than "password caches". ------------------------------------------------------------------------------- The password caches systems generally available under Linux are... Linux Kernel Keyring *** The "systemd-ask-password" is used specifically during the boot process, to mount multiple encrypted disk partitions using the same password. It holds the password such that only the user's processes has access, and can timeout the caching of the password after a period of time. It is purely memory based does not continue between user sessions, or reboots. This also makes it ideal for the temporary 'caching' of passwords, such as when editing encrypted files. And thus what I use in 'vim' for editing encrypted files. For Kernal Keyring see... https://antofthy.gitlab.io/info/crypto/keyring_linux_kernal.txt For VIm Encrypted file editing see https://antofthy.gitlab.io/info/crypto/vim_encryption.txt And vim auto command I use in.. https://antofthy.gitlab.io/software/#encrypt.vim Gnome Keyring This is a daemon holding a encrypted data store open, so that you have access to passwords or other secrets, at least for the duration the user is logged in. For example passwords for web pages, network VPN connections, or logins on other computers. It is actually more like a password vault, than a password caching service in that the passwords are stored permanently in the keyring. That is, the gnome keyring does not have any timeout facility. So is not a true password caching service, and yet many programs use it for this purpose. See https://antofthy.gitlab.io/info/crypto/keyring_gnome.txt GPG Agent The "gpg" program provides its own daemon caching service, though useful information on how to use it has been difficult to find. The "pinentry" password helper can also make use of this caching daemon. Though HOW to use it, is again difficult to determine. -------------------------------------------------------------------------------