veilid/scripts/earthly/secretsd/README.md

42 lines
2.1 KiB
Markdown
Raw Permalink Normal View History

2022-01-09 20:17:36 +00:00
# secretsd
This is a generic backend for the libsecret API, used by various programs to store passwords and similar secrets. It mostly implements the [Secret Service API][api] specification, to act as an alternative to gnome-keyring-daemon and kwalletd.
![badge: "works on my machine"](https://img.shields.io/badge/works%20on%20my%20machine-yes-green.svg?style=flat)
[api]: https://specifications.freedesktop.org/secret-service/latest/
## Dependencies
* python-cryptography
* python-dbus
* python-gobject (3.x)
* python-xdg
## Installation
secretsd is a user-level daemon which uses your D-Bus "session bus". It could be manually started through `systemd --user`:
cp systemd/secretsd.service ~/.config/systemd/user/
systemctl --user start secretsd
or automatically started on demand through D-Bus activation:
cp systemd/secretsd.service ~/.config/systemd/user/
cp dbus/org.freedesktop.secrets.service ~/.local/share/dbus-1/services/
## Security
Secretsd does not aim to provide complete security like a modern password manager would; it only aims to allow using the libsecret API instead of ad-hoc loading of plaintext passwords from `~/.netrc` or similar files, but still relies on external protection for those files. In particular, item titles and attributes are **not** encrypted.
For now, all secrets are encrypted using a single "database key", which is stored in a regular file by default but can be provided through an environment variable, KWallet, or read from an external program. To specify the key source:
secretsd -k file:${CREDENTIALS_DIRECTORY}/secrets.key
secretsd -k env:DATABASE_KEY
secretsd -k kwallet:
secretsd -k exec:"pass Apps/secretsd"
2023-08-22 00:55:22 +00:00
(As secretsd is supposed to be a background service, it is strongly advised to _not_ use an external program which would show interactive prompts. And in particular avoid those which use GnuPG pinentry or otherwise make use of libsecret, for hopefully obvious reasons.)
2022-01-09 20:17:36 +00:00
Individually encrypted collections are not yet supported, but planned in the future. (This will most likely be a fully separate layer of encryption, in addition to the database key.)