Error storing passphrase in keyring (The name org.freedesktop.secrets was not provided by any .service files)

Patrick · September 28, 2024, 4:15am

After booting the ISO → Xfce desktop → double click on “17 GB Encrypted” (from a previous installation) → enter password → save password permanently.

Failed to mount “rootfs”

Error storing passphrase in keyring (The name org.freedesktop.secrets was not provided by any .service files)

Since we’re already installing KeePassXC by default, it might make sense to use KeePassXC as a org.freedesktop.secrets provider. Here is a promising looking (untested by me) guide:

https://c3pb.de/blog/keepassxc-secrets-service.html

KeePassXC might be more leightweight than gnome-keyring.

In KeePassXC, go to Tools > Settings > Secret-Service-Integration and enable Enable KeepassXC Freedesktop.org Secret Service integration.

This might be a bit more hard to do for a Linux distribution.

Maybe could be done similar to how it’s done here:

usability-misc
- /etc/profile.d/50_default_editor.sh
- /usr/share/usability-misc/xdg-override/

Register as the default Secret Service provider (DBus service)

opened 01:27PM - 13 Mar 21 UTC

raffaem

new feature feature: Secret Service

In Tools->Settings->Secret Service, in the General tab, there should be an optio…n to register KeePassXC as systemd default Secret Service provider. On Ubuntu 20.10 this can be achieved by opening `/usr/share/dbus-1/services/org.freedesktop.secrets.service` and changing ``` Exec=/usr/bin/keepassxc/usr/bin/gnome-keyring-daemon --start --foreground --components=secrets ``` into ``` Exec=/usr/bin/keepassxc ``` We can probably have a backup of the file and if the user de-select the option we restore the backup ## REASON When an application ask for the Secret Service API on D-Bus, if there is no provider, systemd will open the defaut provider as specified in that service file. On Ubuntu this will default to `gnome-keyring`. Enabling "KeePassXC freedesktop.org Secret Service integration" does not change this behavior. If KeePassXC is not already opened, at a Secret Service request on D-Bus, `gnome-keyring`, not KeePassXC, will be opened. For a real use case scenario, see [Maestral#352](https://github.com/SamSchott/maestral/issues/352). ## TEMPORARY WORKAROUND Open a terminal and run ```sudo sed -i -E 's/Exec=.*/Exec=\/usr\/bin\/keepassxc/g' /usr/share/dbus-1/services/org.freedesktop.secrets.service```

arraybolt3 · October 1, 2024, 11:39pm

I don’t think KeePassXC can be used by default as the secret service provider in its current state without some significant hacks. It almost could, but it’s missing some features needed to get there.

In order to use KeePassXC as a secret service, you have to create a password database and configure it to be used for secret storage. Therefore in order for there to be a working secret service out of the box, there has to be some way to make a database automatically during installation or at user creation time (since each user account on the system needs its own separate database for obvious reasons).

Creating a database automatically is a problem because only specially configured databases can be used for secret storage. One has to specify that the database is usable for secret storage, and which “group” inside the database should be used for the purpose. This configuration is stored in the database. You can’t easily set it by editing a text file like you could with a usual config file. While keepassxc-cli is able to *create* databases, it is not able to edit these in-database configuration options. The db-edit` command it provides appears to only be usable for changing the database’s password, key file, etc.

Without the ability to set which group to use for secret storage in a database, a database will be set by default to not be used for secret storage at all. Thus you can’t make a new database from scratch that is usable for secret storage.

So now for the hacks. What would potentially be possible is to make a properly configured empty database with some sort of default password or key, then ship that database as part of Kicksecure. To avoid everyone having the same authentication data on their database, we could then have a routine that runs on first boot that generates a new key file, binds it to the database, then clears any default authentication data in the database so that only the user’s key file can unlock it. We can then have a script that runs automatically every time Kicksecure is started that launches KeePassXC with this database and key file pair opened automatically.

The main problem I see with this solution is:

It’s not elegant at all. It’s hacky.
It literally requires shipping an encrypted binary blob as part of Kicksecure. I mean, yes, it’s one that the user could inspect themselves with sufficient effort but yikes.
It could be insecure. I don’t know how KeePassXC’s internals work, but if it uses a “master key” encrypted by a password or key file, this won’t work at all because then everyone will have the same master key for their secret storage database, which is bad from a security standpoint for obvious reasons.

In a perfect world, we’d be able to simply set the database settings from the command line. Then we could create a database automatically, set it as usable for secret storage, specify the root group as the one to use for that purpose, and then set up KeePassXC to auto-launch and auto-unlock the database on boot. The only part that’s really missing for this to work is setting a database as usable for secret storage and setting eht group to be used for that purpose. Perhaps that can be a later contribution to upstream KeePassXC.

In the mean time, an existing “automatic” secret service provider like gnome-keyring will probably do a good enough job.

Patrick · October 3, 2024, 6:37am

Agreed. Best to install gnome-keyring by default as using keepassxc for this purpose is too difficult as a Linux distribution.

Done.

arraybolt3 · October 10, 2024, 4:47am

Feature request for letting KeePassXC act as a default secret service provider:

github.com/keepassxreboot/keepassxc

Make it possible for KeePassXC to be used as the default secret service provider in distributions

opened 04:46AM - 10 Oct 24 UTC

ArrayBolt3

new feature

## Summary KeePassXC currently has functionality that allows it to act as a "se…cret service" for a user session. Applications that need to store small amounts of data securely can call the secret service provider in the current session, regardless of which provider that may be, and then store information in it. Usually this information is passwords or something along those lines. While this is useful, currently it requires explicit configuration by the end user to enable this. If starting from scratch, a user must: * Create a database and assign it a password * Create a dedicated "group" within that database for storage of secrets * Enable KeePassXC's Secret Service feature * Select a database and a group within that database to use for secret storage * Unlock the database any time an application attempts to save or load secrets from secret storage While this is useful as it is, it makes KeePassXC an "aftermarket" secret service provider, as it requires much user configuration to set up. As part of my work with the Kicksecure and Whonix projects, I investigated how practical it would be for a distro to automate most of these steps, and came up with something roughly along these lines: * Ship a configuration file somewhere system-wide that enables KeePassXC's secret service support by default * Every time a new user is created (either at installation time or when a person using the system chooses to create a new user account): * Create a new random key file * Create a password database encrypted with that key file * Inside that database, create a group * In the database itself, configure that group as the group to be used for secret storage * In the database itself, enable using that database for secret storage * Ensure KeePassXC is configured to start automatically when the user logs in, pointing it at the appropriate password database and key file There are three main issues with doing this using KeePassXC's current implementation: * As far as I can tell, keepassxc-cli does not support the advanced database modifications needed to enable secret storage for a dataabase. One can change the contents of the database, and authentication info on the database, and that's about it. Other settings are not exposed. This makes any automated creation of databases for secret storage impossible. * Without explicit support for initializing a "default" secret storage database like this, creating a new secret storage database at user creation time requires installing hooks of some sort into the user creation process. Under Debian and its derivatives this can be done in a rather hacky manner by shipping a `/usr/local/sbin/adduser.local` file (which breaks Debian packaging policy since no package is ever supposed to ship files under `/usr/local`), on other distros I'm not sure if it's possible at all. * Even with the use of a key file, this is insecure. Ideally a user should have to choose a password for the secret database the first time it is used, or KeePassXC should somehow obtain the user password from the login manager and automatically use that as the password. (KWallet does both of these things depending on the situation, and while the implementation isn't ideal in my opinion, it's still decent.) My suggestion is to add an `--agent` or similar argument to KeePassXC's command line interface. This would inform KeePassXC that it is being used as the default secret service for this user account. This would trigger it to enable the secret service feature, automatically create a properly secured secret storage database if necessary, and then stay running so that it can provide secret management features (and also work as a password manager if the user desires). If the user configured a group in some other database as the group to use for secret storage, KeePassXC would respect that feature, but if the user had no secret storage database configured, it would automatically fall back to the default one created on first user login. ## Examples If implemented, distros could make KeePassXC act as the default secret service provider by simply shipping a `.desktop` file under `$XDG_CONFIG_DIRS/autostart/` that would launch KeePassXC with the `--agent` option. KeePassXC would then automatically prompt the user for a master password for secret protection (or obtain the user password from the login manager), create the secret storage database, etc. This would allow KeePassXC to act as a total replacement for existing secret service implementations like KWallet or gnome-keyring. Kicksecure is one distro that is interested in this sort of functionality. ## Context Kicksecure ships KeePassXC by default, but currently is having to use gnome-keyring as the default secret service because we weren't able to make KeePassXC act as the default secret service provider without resorting to very hacky solutions that would be potentially insecure. See https://forums.kicksecure.com/t/error-storing-passphrase-in-keyring-the-name-org-freedesktop-secrets-was-not-provided-by-any-service-files/582/2.