diff --git a/README.md b/README.md index d4f3a36890bd35fda497a5c0e034d730fa19b6ef..df24dcb947994591b9123061a9a8e26a16e75ba5 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Use GnuPG to unlock gnome-keyring, which is supported by yubikey and other smart ## Problem -If you're logging into Linux with yubikey `pam_u2f.so`, gnome will ask you to unlock `login` keyring with your login password. +If you're logging into Linux with yubikey `pam_u2f.so`, gnome will ask you to unlock `login` keyring with your login password. But why are you using yubikey for login? Because I don't want to type the FUCKING LONG PASSWORD. Currently the only solution is to set the password of `login` keyring to empty. But it's not secure. (If your harddisk got fucked one day, the hacker can get ALL your password saved by chromium, get everything in your keyring.) @@ -16,9 +16,11 @@ Currently the only solution is to set the password of `login` keyring to empty. I encrypt the `keyring-name : password` pair with GnuPG and save it as `secret-file`. Then on starting gnome, you have yubikey inserted. Then an auto-started script call GnuPG to decrypt the secret file, and pipe use the password to unlock your keyring. GnuPG will ask you to insert yubikey. ## Dependencies + The project uses libgnome-keyring-dev ### Ubuntu 20.04 + libgnome-keyring-dev is not in the repositories, you have to install it and its dependencies manually: ``` @@ -41,15 +43,17 @@ sudo pacman -S libgnome-keyring ## Usage -> I recommend you to **configure Yubikey as GPG smartcard**. The system would just ask you to unlock gnome-keyring with your default GPG software. You may generate a new GPG key for yubikey, or move your existing GPG key into yubikey. Refer to google for these knowledge. +> I recommend you to **configure Yubikey as GPG smartcard**. The system would just ask you to unlock gnome-keyring with your default GPG software. You may generate a new GPG key for yubikey, or move your existing GPG key into yubikey. Refer to google for these knowledge. First, build the project from source. + ``` git clone https://github.com/recolic/gnome-keyring-yubikey-unlock --recursive cd gnome-keyring-yubikey-unlock/src && make && cd .. ``` Then, create your secret file. + ``` gnome-keyring-yubikey-unlock/create_secret_file.sh /path/to/your_secret [Your GnuPG public key] # input your keyring:password @@ -57,6 +61,8 @@ gnome-keyring-yubikey-unlock/create_secret_file.sh /path/to/your_secret [Your Gn As an example, I need to input `login:My_Very_Long_Login_Password`. (You may use `seahorse` or `tools/list_keyrings.sh` to determine the name of your keyring) +Alternatively, use an already existing entry from your [password store](https://www.passwordstore.org/) (e.g. `/home/user/.password-store/password.gpg`) + Then, add the following command to gnome-autostart. You should know how to auto-run a command after starting gnome. ``` @@ -81,9 +87,9 @@ run `tools/list_keyrings.sh` to check name of your keyrings. The `login` keyring - Working on keyring `Login`: GNOME\_KEYRING\_RESULT\_BAD\_ARGUMENTS. -Seahorse sometimes show an incorrect name for "Login" keyring. It's real name is `login` instead of `Login`. You may confirm this by running `tools/list_keyrings.sh`. +Seahorse sometimes show an incorrect name for "Login" keyring. It's real name is `login` instead of `Login`. You may confirm this by running `tools/list_keyrings.sh`. -- It's simply not working. How do I debug this program? +- It's simply not working. How do I debug this program? ``` echo 'login:my_password' | bin/unlock_keyrings --secret-file - @@ -91,5 +97,4 @@ echo 'login:my_password' | bin/unlock_keyrings --secret-file - ## TODO -This program is using deprecated `libgnome-keyring-1` instead of `libsecret`, because the author could not understand how to use `libsecret`. There's almost no document about how to use `secret_service_unlock_sync()`. - +This program is using deprecated `libgnome-keyring-1` instead of `libsecret`, because the author could not understand how to use `libsecret`. There's almost no document about how to use `secret_service_unlock_sync()`.