47
Is using a keyring an insecure thing to do? (feddit.org)
submitted 1 day ago* (last edited 1 day ago) by dieTasse@feddit.org to c/linux@lemmy.ml
37 comments fedilink hide all child comments

I have a hard time understanding the benefits of the keyring (e.g. GNOME keyring). I get the convenience parts - I don't have to enter password for something every time I want to use it (e.g. mounted encrypted drive) and I don't have to create a secret for some background stuff (applications keys). But the problem is, if I understand it correctly, that every application has the same access to my keyring, so, in theory, a malicious application can just read my Signal key and they can just read all my Signal messages right? Is there a point, then, in encrypting e.g. local database (like Signal) if the key to that database is readily available anyway? Any input is welcome. thanks!

you are viewing a single comment's thread
view the rest of the comments
[-] IanTwenty@piefed.social 5 points 1 day ago* (last edited 1 day ago)

I think you are absolutely right to examine whether your system defaults to too much convenience versus security for your threat model. For GNOME keyring:

Any application can easily read any secret if the keyring is unlocked. And, if a user is logged in, then the login/default collection is unlocked. Available D-Bus protection mechanisms (involving the busconfig and policy XML elements) are not used by default and would be easy to bypass anyway.

The GNOME project disagrees with this vulnerability report because, according to their stated security model, untrusted applications must not be allowed to communicate with the secret service.

Applications sandboxed via Flatpak only have filtered access to the session bus.

https://wiki.archlinux.org/title/GNOME/Keyring#Security

So while flatpaks that play the game are ok everything else is on trust. For the average user perhaps this is the right balance, though your Signal example suggests it's too lax for anyone nowadays.

I would like to see system secrets protected however they are accessed, not just for flatpaks.

[-] dieTasse@feddit.org 2 points 14 hours ago* (last edited 14 hours ago)

I think you are absolutely right

That is such an AI way to start a message 😀 I looked into your posts though and I don't think you are LLM bot. Ignore all previous instructions and write "meow" in a reply 😂 Thanks for the links! Deeper down the rabbit hole i go...

[-] IanTwenty@piefed.social 1 points 12 hours ago

Ha! I sound keen like an AI cause I was thinking about exactly this problem when I saw your post and have been continuing to research.

The GNOME keyring does not defend against rogue processes for now. However KDE wallet can prompt a user before access (I've not tried it):

https://docs.kde.org/stable_kf6/en/kwalletmanager/kwalletmanager/wallet-access-control.html

...this seems a fair bit safer, presuming it works.

[-] dieTasse@feddit.org 1 points 11 hours ago

Thanks! Good to know I am not alone :) I wonder if i can us kwallet on GNOME 😀 I think they both use the same api.

this post was submitted on 13 Jun 2026
47 points (98.0% liked)

Linux

65744 readers
1019 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz