Implementation of Secret Service API

Secret Service

GitHub release GitHub license GitHub stars GitHub issues GitHub issues

Implementation of Secret Service API

logo

What does this project do?

By using secret service, you don't need to use KeePassXC secretservice for storing and retrieving you applications credentials anymore, or login every time to Skype, vscode sync, Remmina...

Installation

  • Archlinux: There is an AUR package named secret-service.
  • Debian: TODO deb package
  • RedHat: TODO rpm package

Manual Installation

There is a scripts/manage.sh shellscript that do the job of install/uninstall (run it by ./scripts/manage.sh) but here are the details:

You need to copy the binary (secretserviced, build the project or download it from releases page) some where usually /usr/bin but if you don't have the permission, ~/.local/bin is OK too. To build the binary from source code:

git clone https://github.com/yousefvand/secret-service.git
cd secret-service
go build -race -o secretserviced cmd/app/secretserviced/main.go

You need a systemd UNIT file named secretserviced.service to put in /etc/systemd/user but if you don't have the permission ~/.config/systemd/user is OK too. Here is a sample UNIT file, change WorkingDirectory and ExecStart according to where you put the binary:

[Unit]
Description=Service to keep secrets of applications
Documentation=https://github.com/yousefvand/secret-service

[Install]
WantedBy=default.target

[Service]
Type=simple
RestartSec=30
Restart=always
Environment="MASTERPASSWORD=01234567890123456789012345678912"
WorkingDirectory=/usr/bin/
ExecStart=/usr/bin/secretserviced

CAUTION: MASTERPASSWORD is very important, don't loose it. scripts/manage.sh would generate a random 32 character password automatically. If you don't use the scripts/manage.sh shellscript, it is up to you to set the password and it should be EXACTLY 32 characters length.

Now start the service:

systemctl enable --now --user secretserviced.service

and you can stop the service by:

systemctl disable --now --user secretserviced.service

to see the status of service:

systemctl status --user secretserviced.service

All secret-service stuff (database, logs...) are stored under: ~/.secret-service.

By default all secrets are encrypted with AES-CBC-256 symmetric algorithm with MASTERPASSWORD. If you wish to switch between encrypted/unencrypted database you need to follow these steps:

  1. Stop service: systemctl stop --user secretserviced.service
  2. Change config encryption key (located at: ~/.secret-service/secretserviced/config.yaml)
  3. If you are changing to encryption: true make sure MASTERPASSWORD is set.
  4. Delete database (located at: ~/.secret-service/secretserviced/db.json)
  5. Start service: systemctl start --user secretserviced.service

If service refuses to start and you see OS exit code 5 in logs, it means som other application has taken dbus name org.freedesktop.secrets before (such as keyrings), stop that application and try again.

Contribution

This project is in its infancy and as it is my first golang project there are many design and code problems. I do appreciate suggestions and PRs. If you can get done any item from TODO list, you are welcome. This list will be updated based on new insights and user issues.

In case of sending a PR please make sure:

  1. You are addressing just one issue per PR.
  2. Completely describe the problem and your solution in plain English.
  3. Don't send your PRs to main branch, create a new branch based on your changes and make sure all tests are passed.
  4. If any new test is needed based on your PR, please write the test as well.

TODO

[ ] Improve CI

[ ] What's the best way to secure /etc/systemd/user/secretserviced.service file

[ ] deb, rpm, AppImage packages

[ ] ...

Owner
Remisa Yousefvand
Math Lover
Remisa Yousefvand
Comments
  • Fix invalid type definition for Collections property

    Fix invalid type definition for Collections property

    Fixes:

    juergen@shaun:~ → secret-tool store --label="mypass" user juergen
    Password: ******
    
    (secret-tool:108034): GLib-GIO-WARNING **: 14:44:32.940: Received property Collections with type as does not match expected type ao in the expected interface
    
    
  • FIXME: Are they the same?

    FIXME: Are they the same?

    Greetings,

    after using secret-service for a day now, I've got these messages in my log:

    Jul 11 10:02:15 archlinux secretserviced[887]: time="Sun, 11 Jul 2021 10:02:15 +0200" level=debug 
    msg="FIXME: Are they the same?" <some secrets>
    Jul 11 10:02:15 archlinux secretserviced[887]: time="Sun, 11 Jul 2021 10:02:15 +0200" level=trace
    msg="GetSecrets result: map <some secrets>
    

    And they are the same. Maybe that helps with anything.

  • Fix return type for some Collections calls/properties.

    Fix return type for some Collections calls/properties.

    Some software, such as go-libsecret cares about the return type of some Collections calls and expects dbus ObjectPaths and not strings. There could be more occurences, but this fixes errors of the sort I'm seeing in current go-libsecret like:

    panic: interface conversion: interface {} is []string, not []dbus.ObjectPath
    
    goroutine 1 [running]:
    github.com/gsterjov/go-libsecret.(*Collection).Items(0xc00015e3c0, 0x0, 0x0, 0x2301458, 0xc0011562f0, 0x22efd58)
            /go/pkg/mod/github.com/gsterjov/[email protected]/collection.go:33 +0x30e
    github.com/99designs/keyring.(*secretsKeyring).Keys(0xc0012218c0, 0x0, 0xc00119dea8, 0x4, 0x0, 0x0)
            /go/pkg/mod/github.com/cosmos/[email protected]/libsecret.go:243 +0x150
    github.com/cosmos/cosmos-sdk/crypto/keyring.keystore.List(0x22e8da0, 0xc0012218c0, 0xc00024c860, 0x1, 0x1, 0xc00024c870, 0x1, 0x1, 0x0, 0x0, ...)
            /go/pkg/mod/github.com/cosmos/[email protected]/crypto/keyring/keyring.go:473 +0x4c
    github.com/cosmos/cosmos-sdk/client/keys.runListCmd(0xc00121b900, 0x2fdcde0, 0x0, 0x0, 0x0, 0x0)
            /go/pkg/mod/github.com/cosmos/[email protected]/client/keys/list.go:31 +0x116
    github.com/spf13/cobra.(*Command).execute(0xc00121b900, 0x2fdcde0, 0x0, 0x0, 0xc00121b900, 0x2fdcde0)
            /go/pkg/mod/github.com/spf13/[email protected]/command.go:852 +0x472
    github.com/spf13/cobra.(*Command).ExecuteC(0xc00110aa00, 0x0, 0x0, 0xc000041818)
            /go/pkg/mod/github.com/spf13/[email protected]/command.go:960 +0x375
    github.com/spf13/cobra.(*Command).Execute(...)
            /go/pkg/mod/github.com/spf13/[email protected]/command.go:897
    github.com/spf13/cobra.(*Command).ExecuteContext(...)
            /go/pkg/mod/github.com/spf13/[email protected]/command.go:890
    github.com/cosmos/cosmos-sdk/server/cmd.Execute(0xc00110aa00, 0xc000041818, 0x15, 0x6, 0xc000041818)
            /go/pkg/mod/github.com/cosmos/[email protected]/server/cmd/execute.go:36 +0x285
    
  • Putting the master password in the environment is not especially secure

    Putting the master password in the environment is not especially secure

    At a minimum, it'd be nice to have some alternative such as reading it from a pipe or socket so I could use gpg -q -d file as the source for the password. Even better would be if I could start the daemon as part of the usual desktop startup with no password available and there would be a way to unlock it by supplying a password later, perhaps via a Unix domain socket.

    The environment for processes is visible in /proc (within limits of Unix permissions). For someone not using systemd it could be very tempting to use env when launching secretserviced which is even worse because it then appears in process listings. For what it is worth, secretserviced works perfectly well on FreeBSD so there is no need for systemd.

  • How to setup? How to use? and many more questions...

    How to setup? How to use? and many more questions...

    Recommended trying this repo by a developer, and understandably he was attempting his best to find a resolution, but did not install it himself.

    So, it built without a hitch, and I was successful at configuring it to run from ~/.local/bin without systemd using dinit, using a 32 character password.

    So... I still have no clue what the user configuration file is for at ~/.secret-service.yaml. It was not created automatically on running the script, and there is no explanation of what is supposed to be located within it or even what it's function is for. So, it's purpose is quite mysterious.

    Although the script runs, and does appear to use the freedesktop socket of dbus. This seems to be the extent of it's function. Since, there is no other information on it's functionality.

    When attempting to probe the service using keyring, I received the following error.

    
    Gkr-Message: 05:33:07.983: response from daemon contained a bad collection path: /org/freedesktop/secrets/aliases/default
    Gkr-Message: 05:33:07.983: call to daemon returned an invalid response: (null).(null)()
    
    

    which can't be good.

  • Maybe an enhancement security wise

    Maybe an enhancement security wise

    First of all, thanks for creating this neat little program.

    As you stated yourself this is absolutely not secure.

    So i created a little neat pinentry script to make it maybe more secure.

    This isn't probably top notch security, but at least better than storing the password in the systemd file.

    My approach is not using systemd it is using the autostart of whatever DE you use. I use sway and put it there as "exec $HOME/scripts/pinentry-secretservice.sh". And it works flawlessly.

    It stores the entered password in $HOME/.secretservicepw hashed with sha512 and checks if it was right (if the file already existed). If it was wrong it will reprompt until you cancel the pinentry.

    Then later it will create a md5 hash from a sha256 hash of the entered password. md5sums are exact 32 characters long.

    If everything was right, MASTERPASSWORD gets set and then secretserviced will be started.

    #!/bin/bash
    # ask for password
    PINENTRY_OUT=$(echo -e "SETPROMPT Unlock secretservice:\nGETPIN\n" | pinentry-gnome3)
    if [[ "$PINENTRY_OUT" = *"cancel"* ]]; then
      echo "User cancelled";
      exit
    fi
    # extract password
    pw=$(echo "$PINENTRY_OUT" | grep "^D " | cut -d' ' -f2-)
    # check if it matches .secretservicepw in $HOME
    pw512=$(echo $pw | sha512sum | cut -d' ' -f1)
    
    # if file exists verify it matches else create it and go on (probably first run)
    
    if [ -f "$HOME/.secretservicepw" ]; then
      if [[ "$pw512" != "$(cat $HOME/.secretservicepw)" ]]; then
          # retry
          exec $0
          exit
      fi
    else
      echo "$pw512" > $HOME/.secretservicepw
    fi
    
    # generate 32 character string from $pw
    
    MASTERPASSWORD=$(echo "$pw" | sha256sum | cut -d' ' -f1 | md5sum | cut -d' ' -f1)
    export MASTERPASSWORD
    # now finally run secretserviced
    cd $HOME
    
    /usr/local/bin/secretserviced &
    
Secret management toolchain
Secret management toolchain

Harp TL;DR. Why harp? Use cases How does it work? Like a Data pipeline but for secret Immutable transformation What can I do? FAQ License Homebrew ins

Dec 11, 2022
Allows you to replace a secret in a file using secrets manager

secrets inserter Allows you to replace a secret in a file using secrets manager. ::SECRET:secret-name:SECRET:: will be replaced with your secret-name

Dec 12, 2021
QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security and store it on physical paper.
QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security and store it on physical paper.

QR Secrets QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security. Incorporating; AES256-GCM-HKDF

Jan 12, 2022
CVE-2021-4034 - A Golang implementation of clubby789's implementation of CVE-2021-4034

CVE-2021-4034 January 25, 2022 | An00bRektn This is a golang implementation of C

Feb 3, 2022
Pure Go implementation of the NaCL set of API's

go-nacl This is a pure Go implementation of the API's available in NaCL: https://nacl.cr.yp.to. Compared with the implementation in golang.org/x/crypt

Dec 16, 2022
✒ A self-hosted, cross-platform service to sign iOS apps using any CI as a builder
✒ A self-hosted, cross-platform service to sign iOS apps using any CI as a builder

iOS Signer Service A self-hosted, cross-platform service to sign iOS apps using any CI as a builder Introduction There are many reasons to install app

Jan 7, 2023
Barebones Go program to issue DDNS updates to Amazon Route 53 service.

Route53 DDNS Very simple DDNS using AWS Route 53 #/bin/bash # AWS_ACCESS_KEY_ID example (fake) export AWS_ACCESS_KEY_ID=KkRbWpoyqLHo69dvoskn # AWS_

May 17, 2021
A tool for secrets management, encryption as a service, and privileged access management
A tool for secrets management, encryption as a service, and privileged access management

Vault Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please respo

Jan 2, 2023
CVE-2021-3449 OpenSSL denial-of-service exploit 👨🏻‍💻

CVE-2021-3449 OpenSSL <1.1.1k DoS exploit Usage: go run . -host hostname:port This program implements a proof-of-concept exploit of CVE-2021-3449 affe

Dec 16, 2022
its a simple backdoor service that im making cuz i think that it could be cool its not finished but this is a cool project
  its a simple backdoor service that im making cuz i think that it could be cool its not finished but this is a cool project

yackdoor its a simple backdoor service that im making cuz i think that it could be cool its not finished but this is a cool project how it looks backd

Aug 18, 2022
mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.
mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.

mesh-kridik Enhance your Kubernetes service mesh security !! mesh-kridik is an open-source security scanner that performs various security checks on a

Dec 14, 2022
Gbu-scanner - Go Blog Updates (Scanner service)

Go Blog Updates - Scanner This service scans go blog (go.dev) and publishes new posts to message broker (rabbitmq). It uses mongodb as a storage for a

Jan 10, 2022
A port scan and service weakpass brute tool build by golang.
A port scan and service weakpass brute tool build by golang.

A port scan and service weakpass brute tool build by golang.

Jan 5, 2023
Sep 26, 2022
Implementation of io/fs.FS that appends SHA256 hashes to filenames to allow for aggressive HTTP caching.

hashfs Implementation of io/fs.FS that appends SHA256 hashes to filenames to allow for aggressive HTTP caching.

Dec 1, 2022
A Go language implementation of the proposed ads.cert protocols for integration in programmatic ads solutions.

go-adscert A Go language implementation of the proposed ads.cert protocols for integration in programmatic ads solutions. This repository is a work-in

Jun 4, 2021
PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. You can use PHP like functions in your app, module etc. when you add this module to your project.

PHP Functions for Golang - phpfuncs PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. Y

Dec 30, 2022
Consistent hashing hashring implementation.

hashring Consistent hashing hashring implementation. Overview This is an implementation of the consistent hashing hashring data structure. In general,

Nov 11, 2022