Skip to content
Snippets Groups Projects
Commit 343c8ff8 authored by Harm te Molder's avatar Harm te Molder Committed by Recolic Keghart
Browse files

Add note about password store


Signed-off-by: default avatarRecolic Keghart <root@recolic.net>
parent 004b9952
No related branches found
No related tags found
No related merge requests found
......@@ -6,7 +6,7 @@ Use GnuPG to unlock gnome-keyring, which is supported by yubikey and other smart
## Problem
If you're logging into Linux with yubikey `pam_u2f.so`, gnome will ask you to unlock `login` keyring with your login password.
If you're logging into Linux with yubikey `pam_u2f.so`, gnome will ask you to unlock `login` keyring with your login password.
But why are you using yubikey for login? Because I don't want to type the FUCKING LONG PASSWORD.
Currently the only solution is to set the password of `login` keyring to empty. But it's not secure. (If your harddisk got fucked one day, the hacker can get ALL your password saved by chromium, get everything in your keyring.)
......@@ -16,9 +16,11 @@ Currently the only solution is to set the password of `login` keyring to empty.
I encrypt the `keyring-name : password` pair with GnuPG and save it as `secret-file`. Then on starting gnome, you have yubikey inserted. Then an auto-started script call GnuPG to decrypt the secret file, and pipe use the password to unlock your keyring. GnuPG will ask you to insert yubikey.
## Dependencies
The project uses libgnome-keyring-dev
### Ubuntu 20.04
libgnome-keyring-dev is not in the repositories, you have to install it and its dependencies manually:
```
......@@ -41,15 +43,17 @@ sudo pacman -S libgnome-keyring
## Usage
> I recommend you to **configure Yubikey as GPG smartcard**. The system would just ask you to unlock gnome-keyring with your default GPG software. You may generate a new GPG key for yubikey, or move your existing GPG key into yubikey. Refer to google for these knowledge.
> I recommend you to **configure Yubikey as GPG smartcard**. The system would just ask you to unlock gnome-keyring with your default GPG software. You may generate a new GPG key for yubikey, or move your existing GPG key into yubikey. Refer to google for these knowledge.
First, build the project from source.
```
git clone https://github.com/recolic/gnome-keyring-yubikey-unlock --recursive
cd gnome-keyring-yubikey-unlock/src && make && cd ..
```
Then, create your secret file.
```
gnome-keyring-yubikey-unlock/create_secret_file.sh /path/to/your_secret [Your GnuPG public key]
# input your keyring:password
......@@ -57,6 +61,8 @@ gnome-keyring-yubikey-unlock/create_secret_file.sh /path/to/your_secret [Your Gn
As an example, I need to input `login:My_Very_Long_Login_Password`. (You may use `seahorse` or `tools/list_keyrings.sh` to determine the name of your keyring)
Alternatively, use an already existing entry from your [password store](https://www.passwordstore.org/) (e.g. `/home/user/.password-store/password.gpg`)
Then, add the following command to gnome-autostart. You should know how to auto-run a command after starting gnome.
```
......@@ -81,9 +87,9 @@ run `tools/list_keyrings.sh` to check name of your keyrings. The `login` keyring
- Working on keyring `Login`: GNOME\_KEYRING\_RESULT\_BAD\_ARGUMENTS.
Seahorse sometimes show an incorrect name for "Login" keyring. It's real name is `login` instead of `Login`. You may confirm this by running `tools/list_keyrings.sh`.
Seahorse sometimes show an incorrect name for "Login" keyring. It's real name is `login` instead of `Login`. You may confirm this by running `tools/list_keyrings.sh`.
- It's simply not working. How do I debug this program?
- It's simply not working. How do I debug this program?
```
echo 'login:my_password' | bin/unlock_keyrings --secret-file -
......@@ -91,5 +97,4 @@ echo 'login:my_password' | bin/unlock_keyrings --secret-file -
## TODO
This program is using deprecated `libgnome-keyring-1` instead of `libsecret`, because the author could not understand how to use `libsecret`. There's almost no document about how to use `secret_service_unlock_sync()`.
This program is using deprecated `libgnome-keyring-1` instead of `libsecret`, because the author could not understand how to use `libsecret`. There's almost no document about how to use `secret_service_unlock_sync()`.
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment