How are Keyring Items secured / encrypted in default collection vs other collections?

Wanted to clarify my understanding on a few Keyring concepts:

  • I believe items stored in the default (login) collection of GNOME Keyring are encrypted with the user’s login password. Is this correct?
  • I believe items in the default collection are decrypted when the user unlocks the collection by logging in into the system. Is this correct?
  • How are items stored in other collections encrypted? I believe a password is needed to create a new collection and are all items encrypted with this custom password? Is the user’s login password playing any role in these non-default collections? How / when does the unlocking / locking of these collections happen?
1 Like

Hi,

Yes that is correct.

Sure, since they are locked with the user password then of course it happens on login. That’s handled by pam-gnome-keyring.

Yeah, you give it a password and it is used to encrypt the items in this particular keyring. So no, the user’s login password doesn’t play any role here (though the keyring is stored in the user’s home so you’d need to login beforehand to get access to the keyring file of course).

These non-default collections won’t get used by apps as they will look for the “default” collection instead. As the libsecret “Simple” API only uses the default collection (which is what most apps need anyway), you’d need to use the Complete (aka complex) API with secret_service_unlock to manually unlock a specific collection.

2 Likes

Thanks that helps! I am actually not using libsecret and rather using the Secret Service library for Java, and it seems the java library does support non-default collections, however, it seemed the lock method wasn’t doing anything and the collection seemed to always be unlocked. Not sure if that is expected so I opened a GitHub issue against them.

Thanks again!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.