Dinge mit dem Tag gpg

KeePassXC Secrets Service

13. 05. 2020

Since the update to (K)ubuntu “focal fossa”, the GPG pinentry dialog behaves a bit differently. When encrypting or signing emails, or when signing git commits, the keyboard input for the whole desktop used to be blocked, but still allowed mouse input. Fetching the password for a GPG key from a personal KeePassXC database was thus still possible. I could not use shortcuts, but oh well — at least I don’t need to remember the password. However since the update now, mouse input is blocked as well. Only the OK and Cancel buttons, as well as the text input field remain responsive, and nothing else. This has proven to be pretty annoying. While searching for a solution, I found a very nice way to automatically unlock my GPG key, without even copying the password into the clipboard. This is in reference to KeePassXC’s libsecret integration. A drawback of this libsecret solution is that there is no authentication or verification whithin this API. If you however trust the software you have installed and you are somewhat lazy, then this is a pretty nice way of managing secrets, while at the same time being limited to the entries/programs you configure to make use of it and the timeframe during which your database is unlocked. Furthermore, your passwords are not distributed over multiple password safes.

Prerequisites

  • KeePassXC 2.5.0 or higher is required.
  • sudo apt install libsecret-tools for testing and command line tooling
  • Make sure other providers like gnome-keyring-daemon are not running.

Configure KeePassXC

In KeePassXC, go to Tools > Settings > Secret-Service-Integration and enable Enable KeepassXC Freedesktop.org Secret Service integration.

Select a database and/or group within the database that should be used for the integration (click on the pencil icon > Secret-Services-Integration > select a group). A designated group for the use with secret service is recommended, as other tools will by able to access it via libsecret and may arbitrarily and automatically create entries.

Be sure to have the search capabilities enabled for this group, as otherwise libsecret will not be able to find your entries. (Right click on the group > Group > Searching)

From now on all passwords stored or accessed via libsecret will be stored in and served by KeePassXC instead of gnome-keyring. As a default setting, you will receive a desktop notification when a program accesses an entry.

Use and Test with libsecret secret-tool

Create a new Key-Entry in your database within the group configured for secret service access. At least a name and a password must be specified.

Add an attribute in the Advanced tab, i.e. account with the value testentry. Both key and value may be chosen freely.

It is now possible to access the password of this entry by typing

secret-tool lookup account testentry

secret-tool allows to create new entries from the CLI also, i.e.

secret-tool store --label='created from cli' account cli

Secret Service Integration for skype-for-linux

In particular, skype-for-linux showed an annoying behaviour in relation to gnome-keyring, even when using a KDE desktop environment. gnome-keyring is a hard dependency, so you can’t uninstall gnome-keyring without also uninstalling skype … As I didn’t want to distribute my passwords over multiple password safes, I had resolved to manually entering the password every time when starting skype. (It turns out that if you forbid saving the password the keyring (two times!), skype will allow you to enter it by hand and forego gnome-keyring integration entirely).

You can’t use KeePassXC’s Secret Service Integration while gnome-keyring-deamon is running. So after trying to disable it, skype still seems to work, and now seemlessly handles its password needs via KeePassXC.

As a workaround for disabling the gnome keyring, you may simply remove its executable bit:

sudo chmod -x /usr/bin/gnome-keyring
sudo chmod -x /usr/bin/gnome-keyring-daemon

Secret Service integration for GPG

To allow for GPG to store a key’s password via libsecret into KeepassXC, it’s required hook into GPG’s pinentry mechanism and configure a pinentry program with libsecret support. This can be done by adding the following line to your GPG config file at ~/.gnupg/gpg-agent.conf:

pinentry-program /usr/bin/pinentry-gnome3

Other pinentry programs with support for libsecret will probably work in the same way.

Now, to trigger GPG for a password prompt, try something like

echo asdf | gpg --armor --sign

Remember to check Save in password manager in the pinentry dialog. After clicking OK you will observe that a new entry has been created in your KeePassXC group. From now on, every time you unlock your GPG key, no popup will show up as long as your KeePassXC database is unlocked. To verify this behaviour, restart gpg-agent via gpgconf --kill gpg-agent as the password is usually cached for 5 minutes.

To undo the integration for GPG, simply remove the line we added to your GPG config file earlier and restart gpg-agent. You may want to remove the entries in KeePassXC as well.

Sources

Most ideas have been taken from https://avaldes.co/2020/01/28/secret-service-keepassxc.html and the relevant github issues for KeePassXC.