10

There plenty of tools working with keyrings: ssh-agent, gpg-agent, gnome-keyring, kwallet, wrappers like keychain, keyctl talking to GNU/Linux kernel. There are various recommendation on how/when to start it tailored for different environments.

This make it rather confusing. I'm using modern GNU/Linux distro with systemd and I start my user session with systemd --user as well. I expect this setup to last decades so I wonder what's the best way to get keyring into picture?

The main use-case is to store passwords from chromium/firefox in one consolidated place.

Shall I start keychain from my user shell autostart script (I use fish for interactive and dash as login shells if that matters)? Right now "gnome-keyring-daemon --daemonize --login" is spawned via PAM. Shall I start "gnome-keyring --start" from user systemd unit? Is there some dbus service which would start some keyring daemon upon first request?

The list of questions go on but you get the idea - what is the right way to get keyring-as-a-service?

god
  • 451
  • 1
  • 4
  • 14
  • Note that `ssh-agent` and `keychain` are for SSH keys only, `gpg-agent` can be used for GPG keys and optionally also for SSH keys, `gnome-keyring` and `kwallet` aim to be generic password/key/secret management systems for Gnome and KDE desktop environments respectively, and `keyctl` is for kernel-level key management which can be used for various purposes, including kernel module authentication to conform to Secure boot requirements. In other words, most of these are completely separate systems; among those listed, only `gnome-keyring` and `kwallet` are fully general-purpose. – telcoM Feb 02 '19 at 11:11

2 Answers2

2

On my machine (debian unstable) ssh-agent and gpg-agent have their own systemd user service/socket files. That means that they should be started when the user logs in or be activated when the first time an application is trying to access them.

Regarding gnome-keyring, there is (ATM?) no such systemd file and gnome-keyring is started both by PAM (as you mentioned) and by a .desktop file located in /etc/xdg/autostart/. The services located there should be started by your session manager (gnome-session, ...).

I see on debian a package called obsession that contains a /usr/bin/xdg-autostart I personally never used that tool, but that might help you to manually start the needed components if you are not using a session manager that supports XDG specification

Bigon
  • 2,062
  • 16
  • 19
0

There are different ways to start gnome-keyring (or any other keyring service).

  1. Via a systemd user service, this would be in a file gnome-keyring.service /etc/systemd/user/ (file using a systemd configuration syntax)
  2. Via a DBUS automatically startable service, this would be in a file org.gnome.keyring.service in /usr/share/dbus-1/services/ (file using a DBUS configuration syntax).
  3. Via an XDG autostart file, this would be gnome-keyring.desktop in /etc/xdg/autostart/ or $HOME/.config/autostart
  4. Via your session manager, where the config depends on the manager (eg in LXDE, property keyring/command in .config/lxsession/LXDE/desktop.conf

None is fundamentally better.

Many distros have multiple options in place, so it's hard to know which one is taken into account. Usually DBUS before Systemd before XDG before session, but that may vary.

Martin Monperrus
  • 1,221
  • 3
  • 12
  • 20