This project is a culmination of scripts and plugins to help use gnome-keyring as a single password store for various apps.
Note: Most of the plugins provided expect the bin/keyring script included in the repository to be available in your path.
- Dependencies:
- gnome-keyring
- python-secretstorage
This script allows you to perform some basic operations on your keyring:
Usage: keyring [options] <command> [command args]
Commands:
list
list all stored keys
set [--2factor] [--smtp] [<key>]
set a key
when --smtp is supplied set a smtp password (msmtp format)
get/password [-c/--clipboard] [--smtp] [--hash [--salt]] [--pbkdf2] <key>
get the password for the given key
prompt [-p/--paste]
opens a gui prompt to get the password for a key. Requires python-gobject.
delete [--smtp] <key>
delete the entry for the given key
username <domain>
get the username for the given domain
link <src_key> <dest_key> [<dest_key> ...]
link one or more keys together
Note that this is a feature unique to this script and
won't be supported by other programs reading directly
from gnome-keyring.
Options:
-h, --help show this help message and exit
-k KEYRING, --keyring=KEYRING
the keyring to use (default: login)
--smtp when used with the get, set, or delete commands, use
the msmtp format
--hash=HASH run the password through the specified hash before
outputting it
--salt combined with --hash, the key will be used as a salt
--pbkdf2 use pbkdf2 with optional --hash and --salt to hash the
password for output
-t TEMPFILE, --tempfile=TEMPFILE
write get/password/username to a tempfile (deleted 1s
after creation)
-c, --clipboard write get/password/username to a clipboard (cleared
10s after being set). Requires xclip
-p, --paste when used with 'prompt', paste the result password
into the currently focused field. Requires xdotool
--2factor indicates that the key to set uses two factor
authentication. This indicator is currently only used
by the 'prompt' command where a subsiquent dialog will
prompt you to enter your temp code and that value will
be appended to your password. This feature is probably
only useful for a small number of sites.
A qutebrowser userscript is provided which can be used to populate username/password fields on web site login forms by pulling the information from the keyring based on the current domain.
To install this userscript you can either copy or symlink
qutebrowser/userscripts/keyring to your
~/.local/share/qutebrowser/userscripts directory.
You can then update ~/.config/qutebrowser/config.py to add an alias for the
userscript:
c.aliases['keyring'] = 'spawn --userscript keyring'
After you've installed the userscript, the next step is to store your credentials
for a domain in the keyring using the format username@domain where username
can be an email address if necessary:
./bin/keyring set myuser@somesite.com ./bin/keyring set myuser@gmail.com@somesite.com
When deciding what domain to suffix the key with, please be aware that the userscript will start with the full domain name and then strip off subdomains until it finds a username or reaches the base domain, which it assumes is a domain name with one '.' in it (eg: site.com, site.org, etc):
www.site.com: will try www.site.com, then site.com
Once you've added your credentials for a given domain to the keyring, you can
then navigate to the domain's login page and simply run :keyring and the
username/password fields should be populated, allowing you to then manually
submit the form.
An irssi plugin is provided allowing you to authenticate all or individually configured accounts using gnome-keyring.
You can install the plugin by copying or symlinking the irssi/scripts/keyring.pl file to your irssi scripts directory (~/.irssi/scripts) and then adding a corresponding load line to your irssi startup file (~/.irssi/startup):
load keyring.pl
After installing the keyring.pl plugin, you then need to create a login file
in your irssi config directory (~/.irssi/login) with a list of connection
commands, one per line, where the special <password> token is replaced with
the password obtained from the keyring.
Here is an example file to authenticate a freenode account: and a google talk account:
connect irc.freenode.net 6667 <password> mynick
Example authenticating a google talk account using irssi-xmpp:
xmppconnect -host talk.google.com myuser@gmail.com <password>
Example identifying with bitlbee running on localhost (must already be connected):
msg &bitlbee identify <password>
Note that if the actual key used in the keyring for that account differs from
the username specified in the connection string, you can use the
<password:key> syntax to specify the key to use when looking up the
password:
xmppconnect -host talk.google.com myuser@gmail.com <password:myuser@gmail.com@irssi>
Once you've created the login file, you can then use the /keyring [username]
command in irssi to authenticate all or individual accounts:
/keyring /keyring username
Similar to using /names in a channel, supplying the special username
names to /keyring will print a list of available usernames:
This feature can also be used with irssi's /set command if you have a
sensitive setting value. Any lines in your login file in the form of:
set some_var <password>
Will use the variable name (some_var in this example) as the keyring key to
lookup, and will substitute in the retrieved value to be set on that variable in
irssi.
/keyring names
The keyring python module included at bin/keyring can also be used in conjunction with offlineimap.
The first step is to set the pythonfile setting in your ~/.offlineimaprc
file:
pythonfile = /path/to/keyring/bin/keyring
Then for each of your email repository configs in your ~/.offlineimaprc, you
can set the remotepasseval setting to pull the password from the keyring:
remotepasseval = get_password('me@domain.com')
When configured using --with-gnome-keyring, msmtp supports pulling
credentials from gnome-keyring. The only caveat is that msmtp requires that the
credentials be stored in a very specific format in the keyring. To store keys in
the proper format, the bin/keyring script provides a --smtp option to the
set command which will prompt you for the appropriate values:
./bin/keyring set --smtp
A completion script is available to ease use from command line. Copy it in /etc/bash_completion.d or source it to make completion available.
For other programs the keyring script provides a prompt command which will
open a dialog (python-gobject) where you can enter the key to use and the
keyring script will put the resulting password into your clipboard for 10
seconds during which time you can paste it into the password field of whatever
app you are using:
./bin/keyring prompt
If you would like the paste step to be performed for you, you can supply the
--paste argument. Be careful though since this command cannot determine if the
currently focused input is a text field or not, so it would paste into a clear
text field exposing your password to anyone watching over your shoulder.
./bin/keyring prompt --paste
You can create a mapping to this command in your preferred window manager to provide easy access to your keyring.