Implementation of Secret Service API
By using secret service, you don't need to use KeePassXC
secretservice for storing and retrieving you applications credentials anymore, or login every time to Skype
, vscode sync
, Remmina
...
- Archlinux: There is an AUR package named
secret-service
. - Debian: TODO deb package
- RedHat: TODO rpm package
There is a scripts/manage.sh
shellscript that do the job of install/uninstall (run it by ./scripts/manage.sh
) but here are the details:
You need to copy the binaries (secretserviced
and secretservice
, build the project or download it from releases page) some where usually /usr/bin
but if you don't have the permission, ~/.local/bin
is OK too. To build the binaries from source code:
git clone https://github.com/yousefvand/secret-service.git
cd secret-service
go build -race -o secretserviced cmd/app/secretserviced/main.go
go build -race -o secretservice cmd/app/secretservice/main.go
You need a systemd
UNIT file named secretserviced.service
to put in /etc/systemd/user
but if you don't have the permission ~/.config/systemd/user
is OK too. Here is a sample UNIT file, change WorkingDirectory
and ExecStart
according to where you put the binary (secretserviced
):
[Unit]
Description=Service to keep secrets of applications
Documentation=https://github.com/yousefvand/secret-service
[Install]
WantedBy=default.target
[Service]
Type=simple
RestartSec=30
Restart=always
Environment="MASTERPASSWORD=01234567890123456789012345678912"
WorkingDirectory=/usr/bin/
ExecStart=/usr/bin/secretserviced
CAUTION: MASTERPASSWORD
is very important, don't loose it. scripts/manage.sh
would generate a random 32
character password automatically. If you don't use the scripts/manage.sh
shellscript, it is up to you to set the password and it should be EXACTLY 32
characters length.
Now start the service:
sudo systemctl daemon-reload
systemctl enable --now --user secretserviced.service
and you can stop the service by:
systemctl disable --now --user secretserviced.service
to see the status of service:
systemctl status --user secretserviced.service
All secret-service
stuff (database, logs...) are stored under: ~/.secret-service
.
By default all secrets are encrypted with AES-CBC-256
symmetric algorithm with MASTERPASSWORD
. If you wish to switch between encrypted/unencrypted database you need to follow these steps:
- Stop service:
systemctl stop --user secretserviced.service
- Change config
encryption
key (located at:~/.secret-service/secretserviced/config.yaml
) - If you are changing to
encryption: true
make sureMASTERPASSWORD
is set. - Delete database (located at:
~/.secret-service/secretserviced/db.json
) - Start service:
systemctl start --user secretserviced.service
If service refuses to start and you see OS
exit code 5
in logs, it means som other application has taken dbus name org.freedesktop.secrets
before (such as keyrings), stop that application and try again.
This binary is the CLI
interface to communicate with secretserviced
daemon. Supported commands:
secretservice ping
Check if service is up and responsive.
secretservice export db
Export a copy of current db in ~/.secret-service/secretserviced/
. This copy is not encrypted.
secretservice encrypt -p|--password 32character-password -i|--input /path/to/input/file/ -o|--output /path/to/output/file/
Encrypts input file using given password. Password should be exactly 32 character. Example:
secretservice encrypt -p 012345678901234567890123456789ab -i ~/a.json -o ~/b.json
secretservice decrypt -p|--password 32character-password -i|--input /path/to/input/file/ -o|--output /path/to/output/file/
Decrypts input file using given password. Password should be exactly 32 character. Example:
secretservice decrypt -p 012345678901234567890123456789ab -i ~/a.json -o ~/b.json
This project is in its infancy and as it is my first golang project there are many design and code problems. I do appreciate suggestions and PRs. If you can get done any item from TODO
list, you are welcome. This list will be updated based on new insights and user issues.
In case of sending a PR please make sure:
- You are addressing just one issue per PR.
- Completely describe the problem and your solution in plain English.
- Don't send your PRs to
main
branch, create a new branch based on your changes and make sure all tests are passed. - If any new test is needed based on your PR, please write the test as well.
-
Improve CI
-
What's the best way to secure
/etc/systemd/user/secretserviced.service
file -
deb, rpm, AppImage packages
-
...