top | item 40101066

Ask HN: What kind of secrets do you entrust to the gnome-keyring?

2 points| DavidHaerer | 1 year ago

I'd like to know how you use gnome-keyring. From their Security Philosophy [1], Basics of Storing Secrets [2] and Security FAQ [3] wiki pages, I understand that the keyring helps against passive attacks (i.e. the attacker does not have access to an active user session). However, if the attack can execute code in the same user session where the keyring is unlocked, they have access to all secrets in the keyring.

There is also the consideration of having no password on the login keyring (e.g. for convenience when using a fingerprint for login) and using full disk encryption.

The Security Philosophy page makes a point about avoiding security theater, so I appreciate the clear communication about the limitations.

However the possibility of any process running in my user session reading any secret in the keyring makes me a bit paranoid and looks like the weakest link in my security setup.

So I'm interested in your considerations when using gnome keyring. Also, if you're an applications developer, do you use gnome keyring or are there better ways of storing secrets?

[1]: https://wiki.gnome.org/Projects/GnomeKeyring/SecurityPhilosophy [2]: https://wiki.gnome.org/Projects/GnomeKeyring/StoringSecrets [3]: https://wiki.gnome.org/Projects/GnomeKeyring/SecurityFAQ

discuss

No comments yet.