$ zimbatm

Linux needs a Keyring program

A keyring is a process that is started on user-session login and contains all of the secret keys of the users. It is responsible for securing those keys and control access to those to a limited set of processes.

The keyring should be running outside of the user’s accessible memory to avoid tampering from other programs running in that same space.

Desired capabilities

Current state of things

Both Windows and MacOS have a keyring process available. MacOS goes even further by baking some of the functionalities of that keyring with a system chip to prevent any sorts of memory attacks.

Gnome Keyring

Gnome provides a keyring. Unfortunately it is broken in many ways:

KWallet

KDE has it’s own keyring as well.

It seems to be tied to KDE and thus not usable by other desktop environents.

TODO: add more details

Firefox / Google Chrome

Both support KWallet and Gnome Keyring. In the event that those are missing they will fallback on plain text files!

Network Manager

Supports both KWallet and Gnome Keyring. System-wide network configurations are stored as plain text.

Hardware keys

Another option is to depend on hardware keys. Those typically have limited storage.

keyring.sh

The daemon hands over a read-only memory region that contains the secret.

Handles:

Integrates with:

Get socket (username, hostname:port)

Initiates the socket with auth on the target and hands it over to the client.

SSH_AUTH_SOCK

Get password (username, hostname:port)

Set password (username, hostname:port, password)

Protocols

https://developer.gnome.org/gnome-keyring/stable/gnome-keyring-Simple-Password-Storage.html

https://www.vaultproject.io/api/

https://api.kde.org/frameworks/kwallet/html/index.html

https://developer.apple.com/documentation/security/keychain_services

 _____
< EOF >
 -----
       \     (\/)
        \   (_o |
             /  |
             \  \______
              \        )o
               /|----- |
               \|     /|