Currently, I’m using KeePass as passwords, RSA-keys, and as the Freedesktop SecretService, see the KeePass: an MFA TOTP codes, a browser’s passwords, SSH keys passwords storage configuration and Secret Service integration post.
The first issue I faced with during such a setup is the fact that KeePass’ database is synced between my computers (it’s database just stored in a Dropbox folder), and KeePass rewrites some passwords, for example – Chromium creates its own key named “Chromium Safe Storage” for its local SQLite database encryption, and it must be different on each PC, but as the database is synced – I got an issue here.
The second inconvenience is that KeePass is started with a locked database, and applications can not start using it until I’ll not unlock it.
This can be automated for example by using the
-pw option (see KeePass options), or by using a GPG key, but in this way I’m losing the whole data encryption idea as all access credentials will be stored on the same filesystem in a plaintext.
Thus – let try to use
gnome-keyring for local applications as a SecretService, and leave everything other for the KeePass.
GNOME Keyring install
Check the D-Bus
org.freedesktop.secrets service now:
Disable SecretService support in the KeePass, install
Check the SecretService again:
Started, working, options –
--start --foreground --components=secrets – correct, all good here.
GNOME Keyring unlock on Log In
/etc/pam.d/login, add to the auth and session the following strings:
... auth optional pam_gnome_keyring.so ... session optional pam_gnome_keyring.so auto_start ...
To update keyring’s password during changing a user’s password in the system – add the following line to the
... password optional pam_gnome_keyring.so
The documentation says it’s necessary to add the
eval $(/usr/bin/gnome-keyring-daemon --start --components=secrets) execution to the
~/.xinitrc (or, for example,
~/.config/openbox/environment), but in my case, everything is already working (Arch Linux + Openbox DE with manual X-server start via
Reboot the PC and check D-Bus again:
The Login and Default keyrings
After installation, we just checked the service and it looked like:
But on my home laptop “something went wrong” and the
gnome-keyring-daemon service was started with the
--daemonize --login only, without
And in the Seahorse (see the Seahorse — GUI for gnome-keyring part below) I had an empty Login keyring, and Default – wich was even impossible to unlock:
Check keyrings files:
Remove (moved to a Backups dir actually) the Default_keyring.keyring and default files, re-login – and it’s working now.
Seahorse – GUI for the
Install the Seahorse:
Run a browser, for example, Brave, and check the Login keyring (must be created by the
gnome-keyring after the first login to the system):
No such secret collection at path: /
Sometimes during creating a new keyring Seahorse may return an error with the “No such secret collection at path: /” message:
The solution is to update environment variables for the D-Bus:
Also published on Medium.