Update: it looks like the kernel has a keyring now! http://man7.org/linux/man-pages/man7/keyrings.7.html . We are just missing a good UI now.
A keyring is a process that is started on user-session login and contains all of the secret keys of the users. It is responsible for securing those keys and control access to those to a limited set of processes.
The keyring should be running outside of the user’s accessible memory to avoid tampering from other programs running in that same space.
Both Windows and MacOS have a keyring process available. MacOS goes even further by baking some of the functionalities of that keyring with a system chip to prevent any sorts of memory attacks.
Gnome provides a keyring. Unfortunately it is broken in many ways:
KDE has it’s own keyring as well.
It seems to be tied to KDE and thus not usable by other desktop environents.
TODO: add more details
Both support KWallet and Gnome Keyring. In the event that those are missing they will fallback on plain text files!
Supports both KWallet and Gnome Keyring. System-wide network configurations are stored as plain text.
Another option is to depend on hardware keys. Those typically have limited storage.
The daemon hands over a read-only memory region that contains the secret.
Handles:
Integrates with:
Initiates the socket with auth on the target and hands it over to the client.
SSH_AUTH_SOCK
https://developer.gnome.org/gnome-keyring/stable/gnome-keyring-Simple-Password-Storage.html
https://www.vaultproject.io/api/
https://api.kde.org/frameworks/kwallet/html/index.html
https://developer.apple.com/documentation/security/keychain_services
_____
< EOF >
-----
\ (\/)
\ (_o |
/ |
\ \______
\ )o
/|----- |
\| /|