GNOME Keyring
GNOME Keyring is a collection of components within the GNOME desktop environment that securely stores secrets such as passwords, encryption keys, and certificates, making them available to applications via standardized interfaces.[1] It functions as a daemon running in the user's session, similar to ssh-agent, to manage these sensitive data without requiring repeated user input for common tasks like network authentication or application logins.[2] The system supports multiple keyrings, each protected by a master password, including a temporary session keyring that is not persisted to disk and is cleared upon logout.[2] Key features include automatic unlocking of the default "login" keyring during user authentication via PAM integration, an SSH agent for handling OpenSSH and X.509 keys, and a PKCS#11 module for certificate and private key storage compliant with the standard.[1] Applications access these services through the libsecret library, which communicates with GNOME Keyring over D-Bus using the Secret Service API, enabling seamless secret management across GNOME and compatible environments.[3] Developed by the GNOME Project since the platform's early releases, GNOME Keyring has evolved to enhance security and usability, with version 2.21.3 introducing advanced certificate and key management capabilities.[1] As of 2025, the project remains actively maintained on GitLab, with the latest stable release being version 48.0, aligning with ongoing GNOME development cycles.[2]Overview
Definition and Purpose
GNOME Keyring is a collection of software components within the GNOME desktop environment that securely store secrets, including passwords, encryption keys, certificates, and usernames along with associated metadata.[1] Its primary purpose is to provide secure, centralized access to these credentials for applications in the GNOME ecosystem, enabling them to retrieve sensitive information without prompting users to re-enter it repeatedly.[1][4] As an integral part of the GNOME desktop environment's security infrastructure, GNOME Keyring facilitates seamless integration for credential management across GNOME applications. It is developed under the GPL-2.0-or-later license and maintained by the GNOME project.[1][5]Basic Operation
The GNOME Keyring operates primarily through its daemon,gnome-keyring-daemon, which runs as a background process within the user's desktop session, analogous to the ssh-agent in handling sensitive credentials securely.[6] This daemon manages the storage and access of secrets such as passwords, keys, and certificates, ensuring they are available to applications without requiring repeated user input during the session.[7]
Upon user login, the daemon starts automatically via the PAM (Pluggable Authentication Modules) integration, specifically through the pam_gnome_keyring module configured in the system's PAM stack.[1] This module invokes the daemon with the --login option, reading the user's login password from standard input to unlock the 'login' keyring immediately, thereby providing seamless access to stored secrets tied to the session without additional prompts.[6] The 'login' keyring serves as the primary unlocked store at startup, while the 'default' keyring handles general-purpose secrets and may require separate unlocking if its password differs from the login credentials, though it is often configured to match for convenience.[1]
Applications interact with the daemon on demand to store or retrieve secrets, primarily through the D-Bus interface defined by the Secret Service API, or via direct calls using the libsecret library, which abstracts the D-Bus communication for developers.[7][3] Secrets are organized into multiple keyrings, with individual items grouped into labeled collections—typically by application or service (e.g., a collection for web credentials or SSH keys)—allowing targeted access and management without exposing unrelated data.[7] This structure ensures that requests from authorized applications, such as browsers or email clients, can promptly access relevant secrets while maintaining isolation between different uses.[1]
History
Origins
The GNOME Keyring was initially released in 2003 as part of the GNOME 2.x series, developed by the GNOME community with primary contributions from Alexander Larsson at Red Hat, Inc., to address the need for secure credential storage in the desktop environment.[8] This effort emerged from discussions and code mentions in late 2003, including version 0.1 integrations in build tools like GARNOME.[9] The tool was designed to provide a centralized daemon for managing secrets, ensuring they were encrypted and accessible only during user sessions. Development origins trace back to the GNOME community's push to replace ad-hoc password handling scattered across applications, drawing inspiration from standards like PKCS#11 for cryptographic key management and token operations.[1] Early motivations centered on establishing a unified secret service for Linux desktops, where applications could securely store and retrieve credentials without exposing them in plain text or relying on insecure methods. First versions emphasized password storage specifically for GNOME applications like Evolution (for email authentication) and Nautilus (for file access), enabling consistent and protected handling of user data.[1] A key driver was the demand for reliable network authentication in evolving desktop setups, with GNOME Keyring integrating with tools like NetworkManager by 2006 to manage Wi-Fi passwords such as WEP keys.[10] This early focus on interoperability laid the groundwork for broader adoption, prioritizing security through session-bound access while minimizing user friction in credential management.Major Releases and Developments
GNOME Keyring's graphical interface evolved significantly with the release of GNOME 2.22 in 2008, when the original GNOME Keyring Manager was fully deprecated and replaced by Seahorse, a more comprehensive tool for managing PGP keys, SSH keys, and passwords stored in the keyring.[11] This change improved usability by integrating key management directly with the Secret Service API precursors, allowing seamless handling of certificates and secrets within the GNOME desktop. In 2009, GNOME Keyring was integrated into the OpenSolaris desktop environment as part of its standard GNOME components, enabling secure credential storage for users on this Solaris-based operating system. This milestone expanded its reach beyond Linux distributions, aligning with broader adoption in Unix-like systems for password and key management. Around GNOME 3.x releases starting in 2011, the project deprecated the libgnome-keyring library in favor of libsecret, a more modern client library that leverages the D-Bus-based Secret Service API for standardized secret storage.[12] This shift, formalized in 2014, promoted cross-desktop compatibility by allowing applications to interact with GNOME Keyring or alternatives like KDE Wallet via the same API specification developed jointly by GNOME and KDE developers.[13] Libsecret also introduced Vala language bindings, facilitating easier development of GNOME applications in Vala while maintaining backward compatibility for C-based code.[14] Later developments enhanced integration and functionality, including the addition of SSH agent emulation in versions around 3.27 (2013), which allowed GNOME Keyring to handle SSH keys similarly to ssh-agent, supporting features like ECDSA key types. With the transition to the GNOME 40 series in 2021, improvements in D-Bus integration refined prompt handling and session management, reducing race conditions in secret retrieval and enhancing reliability across Wayland and X11 sessions. The latest stable version, 48.0, released in March 2025, focused on security enhancements such as better secure memory allocation and memory leak fixes, alongside improved compatibility with modern GLib versions (2.80+) and a build system migration to Meson for easier maintenance.[15] These updates also included refinements to the secret-portal backend for better application key labeling and schema enforcement, ensuring robust cross-application secret sharing.[16]Architecture
Core Components
The core architecture of GNOME Keyring revolves around several primary software elements that facilitate secure secret storage and retrieval. The gnome-keyring-daemon serves as the central runtime manager, operating as a per-user session service that stores passwords, keys, and certificates while implementing the D-Bus Secret Service API, GnuPG agent, and SSH agent functionalities.[17] This daemon automatically loads user keys and prompts for authentication when required, ensuring seamless integration across desktop sessions.[17] Complementing the daemon, the libsecret library acts as the primary interface for applications, enabling them to store and retrieve secrets through a GObject-based API that communicates with the Secret Service via D-Bus.[3] It enforces compliance with the freedesktop.org Secret Service specification, allowing applications to interact with any compatible backend, including the gnome-keyring-daemon.[3] For system-level integration, the gnome-keyring-pam module provides Pluggable Authentication Module (PAM) support, automatically unlocking the default login keyring using the user's system password during authentication, session opening, and password changes.[18] This module operates across PAM's authentication, session management, and password management stacks without prompting users for additional input unless necessary.[18] Supporting these main components are specialized libraries that enhance functionality in specific domains. The GCR (GNOME Crypto) library handles user interface elements for cryptographic operations, including certificate display and parsing, while providing access to key stores for the GNOME desktop environment.[19] The GP11 library offers GObject-based bindings for the PKCS#11 standard, enabling secure handling of cryptographic tokens and modules within the keyring ecosystem.[20] Additionally, the plex-layer component aggregates multiple PKCS#11 modules into a unified interface, simplifying interactions for applications requiring hardware or software token support.[20] Component interactions are mediated through well-defined protocols to maintain security and efficiency. The gnome-keyring-daemon manages input/output operations using an internal private binary protocol for low-level communications, while higher-level application calls are marshaled via the RPC-layer over Unix domain sockets, particularly for PKCS#11 operations that bridge user-space applications and the daemon.[20] Libsecret applications connect to the daemon exclusively through the D-Bus Secret Service API, abstracting backend details and ensuring isolation.[3] The PAM module interacts during login by passing authentication tokens to the daemon, triggering unlocks without direct exposure of credentials.[18] Notably, earlier components such as the libgnome-keyring library have been deprecated in favor of libsecret, which offers improved adherence to the Secret Service standard and broader interoperability.[3] This shift, introduced to modernize API access, ensures that legacy code paths are gradually phased out while maintaining backward compatibility where possible.[3]Storage Mechanisms
GNOME Keyring stores encrypted keyring files in the user's home directory under~/.local/share/keyrings/, following the XDG Base Directory Specification for data files; this represents the modern, standards-compliant path, which evolved from the older location ~/.gnome2/keyrings/ used in earlier versions of GNOME.[4][21]
These keyring files employ a proprietary binary format that organizes data into collections of items, enabling the storage of multiple independent keyrings that can be locked and unlocked separately without affecting one another.[22][23]
Within this structure, secrets are persisted as individual items, each comprising a label for identification, a set of attributes (such as application name or username for contextual metadata), the binary secret data itself, and associated timestamps for creation and modification.[23]
By default, the encryption key for these keyrings is derived from the user's login password, facilitating automatic unlocking upon session authentication via PAM integration.[4]
While tools like Seahorse or secret-tool support exporting and importing keyring contents, the binary and encrypted nature of the files prevents direct editing without proper decryption through the daemon.[4]
Features
Secret Management
GNOME Keyring enables secure handling of passwords and other secrets through the libsecret library, which provides a unified interface to the Secret Service D-Bus API implemented by the keyring daemon.[24] This allows applications to manage sensitive data without exposing it in plaintext, supporting the storage of credentials for various services within the GNOME desktop environment. The daemon operates as a background process, automatically starting with the user session to facilitate access to stored secrets.[5] Applications such as the web browser GNOME Web (also known as Epiphany), the email client Geary, and network tools like NetworkManager rely on GNOME Keyring for password storage and retrieval.[25][26][27] For instance, GNOME Web uses it to save login credentials for websites, Geary stores email account passwords to avoid repeated entry, and NetworkManager secures Wi-Fi and VPN connection details. These integrations ensure that users can authenticate to services without manually re-entering sensitive information each time. Core operations include storing a new secret with associated attributes, retrieving a secret by matching those attributes, deleting specific secrets, and searching across collections for items based on criteria like application name or service type.[24] Storage can be temporary, using the in-memory session collection that discards data at the end of the user session for short-term needs, or permanent, leveraging persistent collections unlocked by a master password for long-term retention.[24] Secrets are grouped into collections, often organized by service or application to maintain separation and ease management—for example, a dedicated collection for browser passwords distinct from email credentials.[24] Each secret item carries metadata, including the creation timestamp, last modification date, and a usage count tracking how often it has been accessed, which aids in auditing and maintenance without revealing the secret itself.[24] When an application encounters an unstored password, GNOME Keyring can automatically display a GTK+-based prompt to solicit the credential from the user and store it securely upon confirmation.[24] This process integrates with D-Bus for inter-application communication, allowing multiple programs to query and update the keyring daemon efficiently while enforcing access controls.[24]PKCS#11 Support
GNOME Keyring provides PKCS#11 support (deprecated since 2018 but still available as of version 48.0 in 2025) through a dedicated module that enables applications to store and retrieve X.509 certificates and private keys in a standardized manner, adhering to the Cryptographic Token Interface specification.[1] This implementation allows GNOME Keyring to function as a software-based cryptographic token, facilitating secure handling of digital certificates and associated keys without requiring physical hardware.[22] The PKCS#11 module includes several specialized stores tailored for different use cases. The user-store module offers writable storage for user-managed X.509 certificates and private keys, persisting them in PKCS#8 format within the~/.local/share/keyrings directory alongside private metadata for access control.[4] Complementing this, the roots-store module provides read-only access to trusted root certificate authority (CA) certificates, loading them from system directories such as /etc/ssl/certs in a format compatible with OpenSSL.[22] Additionally, the ssh-store module supports loading OpenSSH private keys from the ~/.ssh/ directory, including files like id_rsa and their corresponding public keys from .pub files, enabling integration with SSH workflows.[22]
Operations within the PKCS#11 module are facilitated by the GP11 library, which offers GObject-based bindings for the PKCS#11 API, depending on GLib and supporting asynchronous calls in the GIO style for multi-threaded environments.[22] This allows for non-blocking execution of key generation, signing, and encryption tasks, where private keys can be generated asynchronously and used for operations like digital signatures or data encryption.[22] The module emulates hardware tokens by presenting multiple slots through a plex-layer that combines various PKCS#11 providers, ensuring compatibility with applications expecting token-based cryptography.[22]
A key benefit of this support is the enablement of SSH agent functionality for PKCS#11-stored keys, permitting seamless authentication in tools like ssh without the need for separate agents, as the gnome-keyring-daemon handles key loading and signing via the ssh-agent component.[22]
Security
Encryption Methods
GNOME Keyring protects stored secrets using symmetric encryption, primarily AES-128 implemented through the libgcrypt cryptographic library.[28] This approach ensures that passwords, keys, and certificates are safeguarded against unauthorized disk access by encrypting them with a derived master key.[29] The encryption process utilizes functions such asgcry_cipher_open to initialize the AES cipher in a secure mode, typically CBC, for encrypting individual secrets within keyring files.[29]
The master key for encryption is derived from the user's login password or a dedicated keyring password using iterative SHA-256 hashing (approximately 1000–2000 iterations) for key stretching to mitigate brute-force attacks.[28] Although effective, this custom method is less robust than standardized functions like PBKDF2; a new keyring format with enhanced derivation is under consideration for future releases.[28] This derivation incorporates a randomly generated salt to produce a unique key for each encryption operation. GNOME Keyring supports multiple independent keyrings, each maintaining its own master key derived separately, allowing users to segregate secrets with distinct passwords for enhanced security granularity.[1]
To further bolster protection, each keyring file includes a unique salt applied during key derivation, preventing the reuse of precomputed attacks like dictionary or rainbow table exploits.[29] The binary format of these files incorporates obfuscation techniques, such as non-standard structuring and lack of plaintext metadata, to deter casual inspection or reverse engineering without the proper decryption key.[28]
For users requiring more sophisticated cryptographic handling, GNOME Keyring integrates GnuPG-compatible backends, including a built-in GPG agent emulation that caches passphrases for PGP keys and supports advanced encryption workflows. However, when secrets are accessed or transmitted internally via the D-Bus inter-process communication system, no additional end-to-end encryption is applied, relying instead on the session's inherent bus-level security mechanisms.[4]
Access Control and Vulnerabilities
GNOME Keyring implements access control primarily through per-session unlocking, where the default keyring is automatically unlocked upon user login using the login password via the PAM module pam_gnome_keyring.[4] Applications access stored secrets through the D-Bus interface via the Secret Service API (org.freedesktop.secrets), authenticating based on the D-Bus sender ID to ensure they originate from the user's session.[4] By default, there are no granular per-application permissions, allowing any process on the session bus to retrieve unlocked secrets without further authentication.[30] A key vulnerability arises from this design: once unlocked, secrets are accessible unconditionally to any local application connected to the session bus, potentially exposing them if the session is compromised by malware or another local process.[30] Historical issues include CVE-2018-19358, which allowed retrieval of login credentials via the Secret Service API and D-Bus if the keyring was unlocked, affecting versions up to 3.28.2; this was addressed in subsequent releases.[30] Another concern is the storage of decrypted secrets in memory while the keyring remains unlocked, even during screen locks, which has been criticized for increasing risks from memory dumps or DMA attacks.[4] Mitigations include the option to set a separate master password or PIN-like protection for individual keyrings using tools like Seahorse, requiring explicit unlocking for sensitive collections beyond the default session keyring.[1] For elevated operations, GNOME Keyring integrates with Polkit to handle privilege escalations, such as administrative access to certain storage mechanisms.[31] Regular security updates have addressed vulnerabilities, with versions 40 and later incorporating fixes for related issues like improper D-Bus handling; as of 2025, version 48.0 provides ongoing stability enhancements for the daemon.[15]Usage and Integration
In the GNOME Environment
In the GNOME desktop environment, GNOME Keyring is installed and enabled by default as part of the core GNOME package group, automatically starting its daemon via a systemd user service upon user login to provide seamless secret storage for applications.[4] This configuration integrates with the user's login process through the PAM modulepam_gnome_keyring.so, which unlocks the default "Login" keyring using the login password, ensuring that stored secrets are accessible without additional prompts during the session.[4] Updates to GNOME Keyring components are handled through the standard package management system, including via GNOME Software, which pulls in revisions from the distribution's repositories as part of broader GNOME ecosystem updates.[4]
End-users interact with GNOME Keyring primarily through the Seahorse application, a graphical interface for viewing, editing, and managing stored passwords, keys, and certificates within keyrings.[4] To access Seahorse, users can search for "Passwords and Keys" in the GNOME overview or install it via their distribution's package manager.[4] Once unlocked at login, the keyring automatically provides credentials to integrated applications, such as NetworkManager for Wi-Fi network passwords and various GNOME apps for login details, eliminating the need for repeated user intervention during the session.[4] For example, when connecting to a saved Wi-Fi network, NetworkManager retrieves the passphrase from the keyring without prompting, provided the keyring remains unlocked.[32]
Common troubleshooting issues include a forgotten master password for the default keyring, which cannot be recovered due to encryption; in such cases, users must delete the keyring file at ~/.local/share/keyrings/[login](/page/Login).keyring (and related files), resulting in permanent loss of all stored secrets, followed by a relogin to recreate an empty keyring.[4] Another frequent problem arises if the login password changes without updating the keyring password, causing unlock failures; this can be resolved by using Seahorse to change the keyring password to match the login one.[4] Enabling or disabling GNOME Keyring components, such as the SSH agent, can be managed by masking relevant systemd user services (e.g., systemctl --user mask gcr-ssh-agent.service) or editing autostart files in ~/.config/autostart/ to hide specific daemons like gnome-keyring-ssh.desktop.[4] While no dedicated GSettings schema directly toggles the core keyring daemon, components like the SSH agent can be managed via systemd user services.[4]
GNOME Keyring provides an XDG Desktop Portal backend (xdg-desktop-portal-gnome-keyring) that enables Flatpak applications to securely access stored secrets while maintaining sandbox isolation.[4] This allows Flatpak apps to request and use stored credentials, such as for authentication in sandboxed browsers or productivity tools, while adhering to Flatpak's permission model configured via tools like Flatseal.[4]
APIs and Tools
The primary programmatic interface for interacting with GNOME Keyring is provided by the libsecret library, which offers C bindings and Vala (VAPI) bindings for applications to store and retrieve secrets via the Secret Service API. Key functions in libsecret's simple password API includesecret_password_store(), which asynchronously stores a password associated with a schema, optional collection alias, label, and attribute key-value pairs, and secret_password_lookup(), which asynchronously retrieves a password matching specified attributes and schema.[33] These operations support asynchronous completion using GAsyncReadyCallback to enable non-blocking integration in applications, avoiding UI freezes during secret access.[33]
Libsecret communicates with GNOME Keyring over D-Bus using the Freedesktop Secret Service specification, which defines methods for managing collections, items, and secrets as D-Bus objects.[7] The older gnome-keyring API, part of libgnome-keyring, was deprecated in favor of libsecret starting with GNOME 3.8, with legacy functions now redirecting to libsecret equivalents to maintain compatibility during migration.[34]
For command-line interaction, the secret-tool utility allows storing and retrieving secrets without writing custom code. For example, to store a WiFi password:
This prompts for the password and associates it with the specified attributes for later lookup viasecret-tool store --label="WiFi" service "network" user "home"secret-tool store --label="WiFi" service "network" user "home"
secret-tool lookup service "network" user "home".[35]
Additional tools include Seahorse, a graphical application for managing keys, certificates, and passwords in GNOME Keyring through an intuitive interface supporting tasks like key synchronization and passphrase caching.[36] Scripting integration is facilitated by gdbus, which enables direct calls to the D-Bus Secret Service methods for automated secret operations in shell scripts or other tools.[34]