yousefvand / secret-service Goto Github PK

View Code? Open in Web Editor NEW

83.0 3.0 10.0 474 KB

Service to keep secrets of applications

License: MIT License

Shell 1.78% Go 97.83% Roff 0.39%

linux keyring secret-service go archlinux manjaro credentials password kde

secret-service's Introduction

Secret Service

Implementation of Secret Service API

What does this project do?

By using secret service, you don't need to use KeePassXC secretservice for storing and retrieving you applications credentials anymore, or login every time to Skype, vscode sync, Remmina...

Installation

Archlinux: There is an AUR package named secret-service.
Debian: TODO deb package
RedHat: TODO rpm package

Manual Installation

There is a scripts/manage.sh shellscript that do the job of install/uninstall (run it by ./scripts/manage.sh) but here are the details:

You need to copy the binaries (secretserviced and secretservice, build the project or download it from releases page) some where usually /usr/bin but if you don't have the permission, ~/.local/bin is OK too. To build the binaries from source code:

git clone https://github.com/yousefvand/secret-service.git
cd secret-service
go build -race -o secretserviced cmd/app/secretserviced/main.go
go build -race -o secretservice cmd/app/secretservice/main.go

You need a systemd UNIT file named secretserviced.service to put in /etc/systemd/user but if you don't have the permission ~/.config/systemd/user is OK too. Here is a sample UNIT file, change WorkingDirectory and ExecStart according to where you put the binary (secretserviced):

[Unit]
Description=Service to keep secrets of applications
Documentation=https://github.com/yousefvand/secret-service

[Install]
WantedBy=default.target

[Service]
Type=simple
RestartSec=30
Restart=always
Environment="MASTERPASSWORD=01234567890123456789012345678912"
WorkingDirectory=/usr/bin/
ExecStart=/usr/bin/secretserviced

CAUTION: MASTERPASSWORD is very important, don't loose it. scripts/manage.sh would generate a random 32 character password automatically. If you don't use the scripts/manage.sh shellscript, it is up to you to set the password and it should be EXACTLY 32 characters length.

Now start the service:

sudo systemctl daemon-reload
systemctl enable --now --user secretserviced.service

and you can stop the service by:

systemctl disable --now --user secretserviced.service

to see the status of service:

systemctl status --user secretserviced.service

All secret-service stuff (database, logs...) are stored under: ~/.secret-service.

By default all secrets are encrypted with AES-CBC-256 symmetric algorithm with MASTERPASSWORD. If you wish to switch between encrypted/unencrypted database you need to follow these steps:

Stop service: systemctl stop --user secretserviced.service
Change config encryption key (located at: ~/.secret-service/secretserviced/config.yaml)
If you are changing to encryption: true make sure MASTERPASSWORD is set.
Delete database (located at: ~/.secret-service/secretserviced/db.json)
Start service: systemctl start --user secretserviced.service

If service refuses to start and you see OS exit code 5 in logs, it means som other application has taken dbus name org.freedesktop.secrets before (such as keyrings), stop that application and try again.

secretservice

This binary is the CLI interface to communicate with secretserviced daemon. Supported commands:

ping

secretservice ping

Check if service is up and responsive.

export db

secretservice export db

Export a copy of current db in ~/.secret-service/secretserviced/. This copy is not encrypted.

encrypt

secretservice encrypt -p|--password 32character-password -i|--input /path/to/input/file/ -o|--output /path/to/output/file/

Encrypts input file using given password. Password should be exactly 32 character. Example:

secretservice encrypt -p 012345678901234567890123456789ab -i ~/a.json -o ~/b.json

decrypt

secretservice decrypt -p|--password 32character-password -i|--input /path/to/input/file/ -o|--output /path/to/output/file/

Decrypts input file using given password. Password should be exactly 32 character. Example:

secretservice decrypt -p 012345678901234567890123456789ab -i ~/a.json -o ~/b.json

Contribution

This project is in its infancy and as it is my first golang project there are many design and code problems. I do appreciate suggestions and PRs. If you can get done any item from TODO list, you are welcome. This list will be updated based on new insights and user issues.

In case of sending a PR please make sure:

You are addressing just one issue per PR.
Completely describe the problem and your solution in plain English.
Don't send your PRs to main branch, create a new branch based on your changes and make sure all tests are passed.
If any new test is needed based on your PR, please write the test as well.

TODO

Improve CI
What's the best way to secure /etc/systemd/user/secretserviced.service file
deb, rpm, AppImage packages
...

secret-service's People

Contributors

Stargazers

Watchers

Forkers

zhanglei juergenhoetzel shotsan dteague kainz shanmiteko trentapple anima-os-dev iglou-eu lvdh

secret-service's Issues

Manual build in Github Actions failing at start attempt of secretservice: Error: Process completed with exit code 3.

Hi I'm doing a manual build from a ubuntu runner in github actions and it gets up to the command "systemctl status --user secretserviced.service" and it fails there. Your docs don't indicate any dependencies, are any required?

// some of the lines are my own comments

go: downloading github.com/sirupsen/logrus v[1](https://github.com/archway-network/keyring-go/actions/runs/4387744808/jobs/7683401489#step:7:1).8.1
go: downloading github.com/godbus/dbus/v5 v5.0.6
go: downloading gopkg.in/natefinch/lumberjack.v2 v2.0.0
go: downloading gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
go: downloading golang.org/x/sys v0.0.0-20220209214540-3681064d5158
go: downloading github.com/google/uuid v1.3.0
go: downloading github.com/monnand/dhkx v0.0.0-20180522003156-9e5b033f1ac4
go: downloading golang.org/x/crypto v0.0.0-20220210151621-f4118a5b[28](https://github.com/archway-network/keyring-go/actions/runs/4387744808/jobs/7683401489#step:7:29)e2
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/spf13/viper v1.10.1
go: downloading github.com/spf13/cobra v1.3.0
go: downloading github.com/fsnotify/fsnotify v1.5.1
go: downloading github.com/magiconair/properties v1.8.5
go: downloading github.com/mitchellh/mapstructure v1.4.3
go: downloading github.com/spf13/afero v1.8.1
go: downloading github.com/spf13/cast v1.4.1
go: downloading github.com/spf13/jwalterweatherman v1.1.0
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/subosito/gotenv v1.2.0
go: downloading gopkg.in/ini.v1 v1.66.4
go: downloading golang.org/x/text v0.3.7
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading github.com/pelletier/go-toml v1.9.4
copy secreteserviced.service file
Start systemctl
Enable secretserviced
Created symlink /home/runner/.config/systemd/user/default.target.wants/secretserviced.service → /home/runner/.config/systemd/user/secretserviced.service.
Enable secretservice
● secretserviced.service - Service to keep secrets of applications
     Loaded: loaded (/home/runner/.config/systemd/user/secretserviced.service; enabled; vendor preset: enabled)
     Active: activating (auto-restart) (Result: exit-code) since Fri 2023-03-10 19:20:22 UTC; 6ms ago
       Docs: https://github.com/yousefvand/secret-service
    Process: 3430 ExecStart=/home/runner/work/keyring-go/keyring-go/secretserviced (code=exited, status=203/EXEC)
   Main PID: 3430 (code=exited, status=203/EXEC)
        CPU: 1ms
Error: Process completed with exit code 3.

secret-service cannot decrypt database

Hey, I've been using secret-service for a couple weeks, it worked flawlessly for a while but recently credentials have become inaccessible, so after looking into the logs, I've come to find this and going through the docs hasn't really helped me pinpoint the issue...
I'd simply like to know the best course of action in this case, whether I just screwed up some part of the config or my database somehow got corrupted and I have to delete it.

Thanks in advance!

Here's what the logs keep spitting out:

time="Wed, 08 Mar 2023 09:54:31 +0100" level=info msg="===== Secret Service Started ====="
time="Wed, 08 Mar 2023 09:54:31 +0100" level=info msg="Secret service dbus address: /org/freedesktop/secrets"
time="Wed, 08 Mar 2023 09:54:33 +0100" level=info msg="Loading data from: '/home/soul/.secret-service/secretserviced/db.json'"
time="Wed, 08 Mar 2023 09:54:33 +0100" level=panic msg="Cannot decrypt database. Error: GCM open failed: Err: cipher: message authentication failed"

Run without systemd?

Brilliant shell script, seriously. Wish I could code bash this good. Although, the configuration variables make it impractical to use.

VSCode keyring no longer accepts this in the latest update

Now this is most likely a VSCode issue but raising it here as it may be possible to fix. Running VSCode results in this popup:

Now bear in mind literally every single org.freedesktop.secrets running on a non-DE environment (like i3, Sway, Hyprland, etc) seems to be having this issue, at least whats that mentioned throughout the tracking thread on VSCode's issue on GitHub microsoft/vscode#187338.

FIXME: Are they the same?

Greetings,

after using secret-service for a day now, I've got these messages in my log:

Jul 11 10:02:15 archlinux secretserviced[887]: time="Sun, 11 Jul 2021 10:02:15 +0200" level=debug 
msg="FIXME: Are they the same?" <some secrets>
Jul 11 10:02:15 archlinux secretserviced[887]: time="Sun, 11 Jul 2021 10:02:15 +0200" level=trace
msg="GetSecrets result: map <some secrets>

And they are the same. Maybe that helps with anything.

How to setup? How to use? and many more questions...

Recommended trying this repo by a developer, and understandably he was attempting his best to find a resolution, but did not install it himself.

So, it built without a hitch, and I was successful at configuring it to run from ~/.local/bin without systemd using dinit, using a 32 character password.

So... I still have no clue what the user configuration file is for at ~/.secret-service.yaml. It was not created automatically on running the script, and there is no explanation of what is supposed to be located within it or even what it's function is for. So, it's purpose is quite mysterious.

Although the script runs, and does appear to use the freedesktop socket of dbus. This seems to be the extent of it's function. Since, there is no other information on it's functionality.

When attempting to probe the service using keyring, I received the following error.

Gkr-Message: 05:33:07.983: response from daemon contained a bad collection path: /org/freedesktop/secrets/aliases/default
Gkr-Message: 05:33:07.983: call to daemon returned an invalid response: (null).(null)()

which can't be good.

Putting the master password in the environment is not especially secure

At a minimum, it'd be nice to have some alternative such as reading it from a pipe or socket so I could use gpg -q -d file as the source for the password. Even better would be if I could start the daemon as part of the usual desktop startup with no password available and there would be a way to unlock it by supplying a password later, perhaps via a Unix domain socket.

The environment for processes is visible in /proc (within limits of Unix permissions). For someone not using systemd it could be very tempting to use env when launching secretserviced which is even worse because it then appears in process listings. For what it is worth, secretserviced works perfectly well on FreeBSD so there is no need for systemd.

Ideas on how to move ~/.secret-service directory elsewhere?

I'd prefer not to have it clutter my home directory, I kinda already have a lot of things there, .gnupg .ssh .pki .cargo etc etc etc its getting quite messy. Been cleaning it up and this is a slight setback. Are there documented ways, or intended ways to move this directory, perhaps with an environment variable of some type like SECRET_SERVICE_HOME or the like?

Maybe an enhancement security wise

First of all, thanks for creating this neat little program.

As you stated yourself this is absolutely not secure.

So i created a little neat pinentry script to make it maybe more secure.

This isn't probably top notch security, but at least better than storing the password in the systemd file.

My approach is not using systemd it is using the autostart of whatever DE you use.
I use sway and put it there as "exec $HOME/scripts/pinentry-secretservice.sh". And it works flawlessly.

It stores the entered password in $HOME/.secretservicepw hashed with sha512 and checks if it was right (if the file already existed).
If it was wrong it will reprompt until you cancel the pinentry.

Then later it will create a md5 hash from a sha256 hash of the entered password. md5sums are exact 32 characters long.

If everything was right, MASTERPASSWORD gets set and then secretserviced will be started.

#!/bin/bash
# ask for password
PINENTRY_OUT=$(echo -e "SETPROMPT Unlock secretservice:\nGETPIN\n" | pinentry-gnome3)
if [[ "$PINENTRY_OUT" = *"cancel"* ]]; then
  echo "User cancelled";
  exit
fi
# extract password
pw=$(echo "$PINENTRY_OUT" | grep "^D " | cut -d' ' -f2-)
# check if it matches .secretservicepw in $HOME
pw512=$(echo $pw | sha512sum | cut -d' ' -f1)

# if file exists verify it matches else create it and go on (probably first run)

if [ -f "$HOME/.secretservicepw" ]; then
  if [[ "$pw512" != "$(cat $HOME/.secretservicepw)" ]]; then
      # retry
      exec $0
      exit
  fi
else
  echo "$pw512" > $HOME/.secretservicepw
fi

# generate 32 character string from $pw

MASTERPASSWORD=$(echo "$pw" | sha256sum | cut -d' ' -f1 | md5sum | cut -d' ' -f1)
export MASTERPASSWORD
# now finally run secretserviced
cd $HOME

/usr/local/bin/secretserviced &

gpg-agent integration?

First of all thanks for creating this project, it's great to finally see someone doing a minimal secret service implementation.

Have you looked into integration with gpg-agent?

To create a secretservice gpg-agent socket, something like the ssh agent that comes with gpg-agent ( take a look at gpg-agent-browser.socket, gpg-agent-ssh.socket, etc. ) I'd love to see gpg-agent-secretservice.socket😄
Or to to simply encrypt/decrypt the masterpassword for the systemd service and store in the agent.