Basics of Storing Secrets
The following may seem obvious, but you'd be surprised how often related questions come up.
A 'secret' is something you want to prevent another party from reading or guessing. Passwords are secrets, as are private keys used in crypto. One kind of secret or another is used in almost all forms of secure communications.
Secrets are usually kept in one of two ways:
- You can keep the secret somewhere safe, or safe enough, like:
- Straight on your hard disk, for many secrets this is good enough.
- Your brain. Very secure.
- On a sticky note-ish things, in 'meat space'. Not so very secure.
- A TPM chip. Yup, I saw you twitch there.
- Another hardware device such as a smart card.
- You can wrap the secret in another secret.
- This usually involves encrypting it.
You'll note that there is no magic way to encrypt secrets without then keeping the encrypting secret somewhere. You always have at least one secret in a system that must be kept somewhere.
How Storing Secrets in gnome-keyring Works
- Stores password in 'keyrings' which it then encrypts with a master password.
- Private keys (such as SSH keys) are stored encrypted with a password.
- The master password for either of the above can be stored in the 'login' keyring.
- The master password for the 'login' keyring is the same as your unix user account.
Using the gnome-keyring PAM module, the 'login' keyring can be automatically unlocked when the user logs in.
In order to make the above work, the initial secret (the one that unlocks into your login keyring) must be typed in somewhere or be stored somewhere.
This means that gdm auto login cannot automatically unlock your 'login' keyring, and thus all your passwords and encryption keys.
One way around this, if you use auto login, is to set the 'login' keyring master password to an empty string, and then your keyring will be stored on your hard disk unencrypted. But you won't have to type a password to unlock your keyring when you log in.