The new D-Bus Secret Service provider. Replacement of the gnome-keyring-daemon
The session keyring is generally encrypted with the user's password. In order to
unlock it the daemon has to be started with the --login flag.
Alternatively, the daemon will try to load a
credential named
oo7.keyring-encryption-password and use it to unlock the session keyring.
At the moment, this requires systemd v258 or newer to load the credential from the user's credstore when starting the service. In such a case the credential can be stored as an encrypted blob in the user's credstore via
mkdir -p ${XDG_CONFIG_HOME:-~/.config}/credstore.encrypted
systemd-ask-password -n | systemd-creds encrypt --user --name=oo7.keyring-encryption-password - ${XDG_CONFIG_HOME:-~/.config}/credstore.encrypted/oo7.keyring-encryption-passwordWARNING: Any user capable of reading this file and with access to the TPM
(e.g the root user) can decrypt this blob. This can be mitigated if using an
encrypted home with systemd-homed.
See the manual page systemd.exec(5) for more details.
When running oo7-daemon as a systemd user service, logs can be viewed using journalctl:
journalctl -b -u oo7-daemon --userThe daemon supports verbose logging via the --verbose flag, which enables debug-level logs:
# Edit the service file to add --verbose
systemctl --user edit oo7-daemon.servicePAM module logs are also available in the system journal and can be filtered:
# View all logs from the current session (includes PAM module)
journalctl -b --user
# Search for PAM-related entries
journalctl -b --user | grep pam_oo7The project is released under the MIT license.