Getting Secrets to work on a WM

A guide on how you can get libsecret and gnome-keyring working on a window manager.

Getting Secrets to work on a WM
Photo by Luca Micheli / Unsplash

If you use a barebones system without a graphical greeter or a DE like Gnome or KDE, you might run into a situation where a program you want to use requires a secrets daemon. Here's how to set one up. I did it with Void Linux and Sway.

Installing the right packages

You need libsecret, gnome-keyring, and libgnome-keyring. Install them with your respective package manager.

Telling PAM to start the gnome-keyring daemon

This method allows you to unlock the keyring right when you login, so you won't have to enter your password again. To do this, open /etc/pam.d/login as root, and Add auth optional pam_gnome_keyring.so at the end of the auth section and session optional pam_gnome_keyring.so auto_start at the end of the session section.

After these changes, my login file looks like this:

#%PAM-1.0

auth 		required 	pam_securetty.so
auth 		requisite 	pam_nologin.so
auth 		include 	system-local-login
auth		optional 	pam_gnome_keyring.so
account 	include 	system-local-login
session 	include 	system-local-login
session		optional	pam_gnome_keyring.so	auto_start
MY /etc/pam.d/login – yours does not have to be the exact same

Next, add password optional pam_gnome_keyring.so to the end of /etc/pam.d/passwd. After this change, my passwd file looks like this:

password	required	pam_unix.so	sha512 shadow nullok
password	optional 	pam_gnome_keyring.so
MY /etc/pam.d/passwd – yours does not have to be the exact same

And that's it!

Launching your WM

Last few thing – you need to run your WM with dbus-run-session, and you need to execute eval $(gnome-keyring-daemon --start --components=gpg,pkcs11,secrets,ssh | sed 's/^(.*)/export \1/g') before you launch it, so the best option is to use a launcher script; let's have a look at what it looks like for me, keeping in mind I'm using Sway:

#!/bin/dash

# fix blank java apps
export _JAVA_AWT_WM_NONREPARENTING=1

# ask QT to use Wayland
export QT_QPA_PLATFORM=wayland

# ask Firefox to use Wayland
export MOZ_ENABLE_WAYLAND=1
export MOZ_WEBRENDER=1

# set XDG vars for apps that might need it
export XDG_SESSION_TYPE=wayland
export XDG_CURRENT_DESKTOP=sway

# fix some gtk apps launching slow
export GTK_USE_PORTAL=0

# keyring daemon for secrets
eval $(gnome-keyring-daemon --start --components=gpg,pkcs11,secrets,ssh | sed 's/^\(.*\)/export \1/g')

# finally, launch sway
sway
my sway launch script

I still launch it like dbus-run-session <my script>, but you could dbus-run-session from inside this script as well. Also, I don't have anything secrets related in my Sway config.

Common Issues

Don't forget to dbus-run-session, or you'll have the unknown or unsupported transport disabled for address disabled error!

If you get cannot create an item in a locked collection, you need to avoid launching the keyring daemon from other sources. It should only be launched once – and that's automatically done when you log in.

Note

You can ask git to use the secrets daemon so that your tokens are no longer stored in ~/.git-credentials

git config --global credential.helper libsecret

If that does not seem to work, try –

git config --global gpg.program gpg2

Until next time!