Since the update to (K)ubuntu “focal fossa”, the GPG pinentry dialog behaves a bit differently. When encrypting or signing emails, or when signing git commits, the keyboard input for the whole desktop used to be blocked, but still allowed mouse input. Fetching the password for a GPG key from a personal KeePassXC database was thus still possible. I could not use shortcuts, but oh well — at least I don’t need to remember the password. However since the update now, mouse input is blocked as well. Only the OK and Cancel buttons, as well as the text input field remain responsive, and nothing else. This has proven to be pretty annoying. While searching for a solution, I found a very nice way to automatically unlock my GPG key, without even copying the password into the clipboard. This is in reference to KeePassXC’s libsecret integration. A drawback of this
libsecret solution is that there is no authentication or verification whithin this API. If you however trust the software you have installed and you are somewhat lazy, then this is a pretty nice way of managing secrets, while at the same time being limited to the entries/programs you configure to make use of it and the timeframe during which your database is unlocked. Furthermore, your passwords are not distributed over multiple password safes.
- KeePassXC 2.5.0 or higher is required.
sudo apt install libsecret-toolsfor testing and command line tooling
- Make sure other providers like
gnome-keyring-daemonare not running.
In KeePassXC, go to
Secret-Service-Integration and enable
Enable KeepassXC Freedesktop.org Secret Service integration.
Select a database and/or group within the database that should be used for the integration (click on the pencil icon >
Secret-Services-Integration > select a group). A designated group for the use with secret service is recommended, as other tools will by able to access it via libsecret and may arbitrarily and automatically create entries.
Be sure to have the search capabilities enabled for this group, as otherwise libsecret will not be able to find your entries. (Right click on the group >
From now on all passwords stored or accessed via libsecret will be stored in and served by KeePassXC instead of gnome-keyring. As a default setting, you will receive a desktop notification when a program accesses an entry.
Use and Test with libsecret secret-tool
Create a new Key-Entry in your database within the group configured for secret service access. At least a name and a password must be specified.
Add an attribute in the
Advanced tab, i.e.
account with the value
value may be chosen freely.
It is now possible to access the password of this entry by typing
secret-tool lookup account testentry
secret-tool allows to create new entries from the CLI also, i.e.
secret-tool store --label='created from cli' account cli
Secret Service Integration for skype-for-linux
skype-for-linux showed an annoying behaviour in relation to
gnome-keyring, even when using a KDE desktop environment.
gnome-keyring is a hard dependency, so you can’t uninstall
gnome-keyring without also uninstalling
skype … As I didn’t want to distribute my passwords over multiple password safes, I had resolved to manually entering the password every time when starting skype. (It turns out that if you forbid saving the password the keyring (two times!), skype will allow you to enter it by hand and forego
gnome-keyring integration entirely).
You can’t use KeePassXC’s Secret Service Integration while
gnome-keyring-deamon is running. So after trying to disable it, skype still seems to work, and now seemlessly handles its password needs via KeePassXC.
As a workaround for disabling the gnome keyring, you may simply remove its
sudo chmod -x /usr/bin/gnome-keyring sudo chmod -x /usr/bin/gnome-keyring-daemon
Secret Service integration for GPG
To allow for GPG to store a key’s password via libsecret into KeepassXC, it’s required hook into GPG’s pinentry mechanism and configure a pinentry program with libsecret support. This can be done by adding the following line to your GPG config file at
Other pinentry programs with support for libsecret will probably work in the same way.
Now, to trigger GPG for a password prompt, try something like
echo asdf | gpg --armor --sign
Remember to check
Save in password manager in the pinentry dialog. After clicking OK you will observe that a new entry has been created in your KeePassXC group. From now on, every time you unlock your GPG key, no popup will show up as long as your KeePassXC database is unlocked. To verify this behaviour, restart
gpgconf --kill gpg-agent as the password is usually cached for 5 minutes.
To undo the integration for GPG, simply remove the line we added to your GPG config file earlier and restart
gpg-agent. You may want to remove the entries in KeePassXC as well.
Most ideas have been taken from https://avaldes.co/2020/01/28/secret-service-keepassxc.html and the relevant github issues for KeePassXC.