Is Gnome keyring safe?

Question

I've always read keyring like Gnome-keyring is safe way to save credentials. I don't understand it. If I open my Gnome-keyring in my Ubuntu Desktop, I can right click any entry and click show password and it will show the password :O. My point is if I can do it anyone who can access my computer can do it. I can't keep my computer attended every second and sometimes I can forget to lock the computer.

I've set option to unlock keyring automatically at login. Without that I've to type keyring password every time the keyring has to be accessed. So its either type the keyring password or type the asked password. Now if I really have to type I'd prefer to eliminate the middle man and type the asked password.

So my question is, am I thinking/taking/doing this keyring thing in wrong way? Or is it the way it is? If its the way it is, how is it safe?

Answer 1

There is no special trick here; you are just responsible for keeping your desktop session locked when you are not sitting in front of your computer. Otherwise people walking by could do anything to your computer, even if you are not using a keyring of any kind, including installing a secret password-sniffing program!

Get in the habit of locking your screen whenever you get up for any reason. Do it even when you are sure you are alone so it becomes rote. This is quicker if you configure a keyboard shortcut like Ctrl+Alt+L for it (launch Keyboard --> Shortcuts --> System --> Lock screen). It would be nice if the Power control panel allowed you to lock the screen when a laptop lid is closed, but this does not seem to be an option.

And in case you forget, configure the screen to lock after a few minutes of inactivity (rather than going into a screensaver): Screen > Lock.

Answer 2

Keyring is meant to simplify your life by remembering different secrets (passwords), which are stored encrypted using your master password as encryption key. The encryption is a protection against remote attack (or if your hdd gets stolen or similar), because secrets are not disclosed in such case. If you disable unlocking keyring at login, you get only the advantage of typing the same password, instead of many different ones.

Answer 3

There are some key features which makes gnome-keyring a credential software with a certain level of security:

1. Centralizes and encrypt all stored credentials with a master password to help prevent unauthorized users from gaining access
2. The master password must be input in a pop-up screen which also will gain the computer user attention and make him realize some strange behavior that can be caused by a malware or something like, also make it more difficult to some automated software do stuff silently.

The caveat here is that based on gnome-keyring philosophy, the master password will be asked once and cached forever, I did a lot of search and didn't found how to change this behavior natively, found an alternative though, to clear the cache every minute.

It will install a cron which run every minute and clear the cache:

$ cat <<EOF >> gnome-keyring-lock.sh
#!/bin/sh
export DBUS_SESSION_BUS_ADDRESS='${DBUS_SESSION_BUS_ADDRESS}'
dbus-send --dest=org.gnome.keyring --print-reply /org/freedesktop/secrets org.freedesktop.Secret.Service.LockService
EOF
$ chmod +x gnome-keyring-lock.sh &&

  sudo mv gnome-keyring-lock.sh /usr/local/bin/
$ crontab -u ${USER} -e





/usr/local/bin/gnome-keyring-lock.sh 2>1 | logger -t gnome-keyring-lock









$<ESC>:wq

You can check the logs by typing:

$ tail  -f /var/log/syslog | grep gnome-keyring-lock
Jan 28 18:17:01 typer-pc gnome-keyring-lock: method return time=1674940621.720454 sender=:1.50 -> destination=:1.163 serial=204 reply_serial=2

This way the master password will be asked next time something try to recover some credential to gnome-keyring, keep in mind security and comfort are not friends, ask the master password every single time a credential is needed, probably won't last, cache them forever also doesn't sound like a good idea, despite the fact a computer connected to the internet will never be 100% secure, yes, gnome-keyring will help to keep the passwords more secure than just save them to a plain text file anywhere on your hard drive.

References

• How can I adjust the default passphrase caching duration for GPG/PGP/SSH keys?
• https://unix.stackexchange.com/questions/449218/gnome-keyring-stays-unlocked-permanently
• https://superuser.com/questions/700826/how-to-lock-a-unlocked-gnome-keyring
• How to disable GNOME keyring?
• How to recover/reset forgotten Gnome Keyring Password?
• https://www.systutorials.com/how-to-change-the-gnome-keyring-password/
• https://stackoverflow.com/questions/35942754/how-can-i-save-username-and-password-in-git
• How to recover/reset forgotten Gnome Keyring Password?

Answer 4

The keyring uses weak encryption, yeah, weak. A simple password to unlock all your passwords? That's a joke in term of security. But it's easy to use, so a lot of people like it.

The common Joe or Alice (family, friends, co-workers) will not be able to decrypt it easily. If you want to protect your passwords against them, well. Keyring is safe.

Now, if someone with a degree in math, encryption, or a hacker is decided to get your passwords they will do it after a few days or weeks (or months if they are really unlucky).

And if the IRS gets you computer, well they can get a hand on the strong servers to get your passwords in a matter of minutes. Same for:

• FBI
• CIA
• NSA
• Mossad
• ASIS
• RAW
• DGSE
• FSB
• BND
• MSS
• MI-6
• ISI

So, is it safe? Well, it depends upon you and your needs.