Skip to content

Instantly share code, notes, and snippets.

@dAnjou

dAnjou/_.md

Last active December 18, 2024 11:00
Show Gist options
  • Save dAnjou/b99f55de34b90246f381e71e3c8f9262 to your computer and use it in GitHub Desktop.
Save dAnjou/b99f55de34b90246f381e71e3c8f9262 to your computer and use it in GitHub Desktop.
Download ZIP
Automatically unlock KeePass database with GNOME Keyring
Raw
_.md

(Tested with KeePassXC on Fedora 25)

By default when using GNOME Keyring you have a keyring that is unlocked when you log in (usually called "Login"). You can make use of that by storing a KeePass database password in this keyring and using it to automatically unlock your KeePass database.

Store the KeePass database password in GNOME Keyring. You'll have to set a label and at least one attribute/value pair. The label is displayed in a GNOME keyring manager (e.g. Seahorse), the attribute/value pair should be a unique identifier because it's needed for the lookup. I suggest to use keepass as attribute and the database name as value (make sure it doesn't contain any spaces).

secret-tool store --label="KeePass <database_name>" keepass <database_name>

Then create a script to launch and immediately unlock your KeePass database.

#!/bin/bash

secret-tool lookup keepass <database_name> | keepassxc --pw-stdin /path/to/<database_name>

You can now use this script to launch KeePass with your database already unlocked. I recommend to create a desktop launcher for more convenience.

@OWL4C
Copy link

OWL4C commented Dec 18, 2024

1/ Before this trick A malicious program with user privilege could not access your passwords unless it has the master key of your database, and it had no other way to find it without brute force or key logging

2/ After this trick A malicious program with user privilege can find the value of the database password by reading your startup script and by running the command secret-tool lookup keepass <database_name> and then read all your passwords.

(I am using KWALLET instead of Gnome, but i would hope the security is comparable)
To my understanding as long as the keyring is locked, no change to the security (Ok, maybe technically the keyring can be attacked with the file instead of trying to brute force the database directly but ignoring any vulnerabilities in the keyring file storage (which can also happen to keepass, if we even think about this) it's fine).
If the keyring is unlocked, then yes, any program with terminal access can read those entries. But also any program with terminal access could use a keylogger, screen capture, clipboard interceptor etc. So i would hesitate to say that having your password in your keyring is inherently less secure. If you have any unsandboxed apps on your pc, at least for the time being (with X and other apps with no "security by design") you shouldn't input anything you don't want to get captured (so i wouln't worry about this in particular; use Qubes or some other highly private OS to get security which can't be as easily foiled as normal OSs).

If anyone knows better, i'd be happy to hear your opinions on this matter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment