Implementation of Secret Service API

Overview

Secret Service

GitHub release GitHub license GitHub stars GitHub issues GitHub issues

Implementation of Secret Service API

logo

What does this project do?

By using secret service, you don't need to use KeePassXC secretservice for storing and retrieving you applications credentials anymore, or login every time to Skype, vscode sync, Remmina...

Installation

  • Archlinux: There is an AUR package named secret-service.
  • Debian: TODO deb package
  • RedHat: TODO rpm package

Manual Installation

There is a scripts/manage.sh shellscript that do the job of install/uninstall (run it by ./scripts/manage.sh) but here are the details:

You need to copy the binary (secretserviced, build the project or download it from releases page) some where usually /usr/bin but if you don't have the permission, ~/.local/bin is OK too. To build the binary from source code:

git clone https://github.com/yousefvand/secret-service.git
cd secret-service
go build -race -o secretserviced cmd/app/secretserviced/main.go

You need a systemd UNIT file named secretserviced.service to put in /etc/systemd/user but if you don't have the permission ~/.config/systemd/user is OK too. Here is a sample UNIT file, change WorkingDirectory and ExecStart according to where you put the binary:

[Unit]
Description=Service to keep secrets of applications
Documentation=https://github.com/yousefvand/secret-service

[Install]
WantedBy=default.target

[Service]
Type=simple
RestartSec=30
Restart=always
Environment="MASTERPASSWORD=01234567890123456789012345678912"
WorkingDirectory=/usr/bin/
ExecStart=/usr/bin/secretserviced

CAUTION: MASTERPASSWORD is very important, don't loose it. scripts/manage.sh would generate a random 32 character password automatically. If you don't use the scripts/manage.sh shellscript, it is up to you to set the password and it should be EXACTLY 32 characters length.

Now start the service:

systemctl enable --now --user secretserviced.service

and you can stop the service by:

systemctl disable --now --user secretserviced.service

to see the status of service:

systemctl status --user secretserviced.service

All secret-service stuff (database, logs...) are stored under: ~/.secret-service.

By default all secrets are encrypted with AES-CBC-256 symmetric algorithm with MASTERPASSWORD. If you wish to switch between encrypted/unencrypted database you need to follow these steps:

  1. Stop service: systemctl stop --user secretserviced.service
  2. Change config encryption key (located at: ~/.secret-service/secretserviced/config.yaml)
  3. If you are changing to encryption: true make sure MASTERPASSWORD is set.
  4. Delete database (located at: ~/.secret-service/secretserviced/db.json)
  5. Start service: systemctl start --user secretserviced.service

If service refuses to start and you see OS exit code 5 in logs, it means som other application has taken dbus name org.freedesktop.secrets before (such as keyrings), stop that application and try again.

Contribution

This project is in its infancy and as it is my first golang project there are many design and code problems. I do appreciate suggestions and PRs. If you can get done any item from TODO list, you are welcome. This list will be updated based on new insights and user issues.

In case of sending a PR please make sure:

  1. You are addressing just one issue per PR.
  2. Completely describe the problem and your solution in plain English.
  3. Don't send your PRs to main branch, create a new branch based on your changes and make sure all tests are passed.
  4. If any new test is needed based on your PR, please write the test as well.

TODO

[ ] Improve CI

[ ] What's the best way to secure /etc/systemd/user/secretserviced.service file

[ ] deb, rpm, AppImage packages

[ ] ...

Issues
  • Fix invalid type definition for Collections property

    Fix invalid type definition for Collections property

    Fixes:

    [email protected]:~ β†’ secret-tool store --label="mypass" user juergen
    Password: ******
    
    (secret-tool:108034): GLib-GIO-WARNING **: 14:44:32.940: Received property Collections with type as does not match expected type ao in the expected interface
    
    
    opened by juergenhoetzel 4
  • FIXME: Are they the same?

    FIXME: Are they the same?

    Greetings,

    after using secret-service for a day now, I've got these messages in my log:

    Jul 11 10:02:15 archlinux secretserviced[887]: time="Sun, 11 Jul 2021 10:02:15 +0200" level=debug 
    msg="FIXME: Are they the same?" <some secrets>
    Jul 11 10:02:15 archlinux secretserviced[887]: time="Sun, 11 Jul 2021 10:02:15 +0200" level=trace
    msg="GetSecrets result: map <some secrets>
    

    And they are the same. Maybe that helps with anything.

    enhancement 
    opened by scrouthtv 2
  • Putting the master password in the environment is not especially secure

    Putting the master password in the environment is not especially secure

    At a minimum, it'd be nice to have some alternative such as reading it from a pipe or socket so I could use gpg -q -d file as the source for the password. Even better would be if I could start the daemon as part of the usual desktop startup with no password available and there would be a way to unlock it by supplying a password later, perhaps via a Unix domain socket.

    The environment for processes is visible in /proc (within limits of Unix permissions). For someone not using systemd it could be very tempting to use env when launching secretserviced which is even worse because it then appears in process listings. For what it is worth, secretserviced works perfectly well on FreeBSD so there is no need for systemd.

    enhancement 
    opened by okapia 1
  • v0.1.0

    v0.1.0

    Initial version

    opened by yousefvand 0
  • CI Fixed

    CI Fixed

    • CI fixed
    • updated README
    opened by yousefvand 0
  • Added AUR link

    Added AUR link

    Archlinux AUR package link added to README

    opened by yousefvand 0
  • AUR automation

    AUR automation

    opened by yousefvand 0
  • Remove TODO

    Remove TODO

    Remove redundant TODO.txt

    opened by yousefvand 0
  • Dev

    Dev

    opened by yousefvand 0
  • README.md: fixed the checkboxes

    README.md: fixed the checkboxes

    minor fix for the checkboxes in the readme

    opened by scrouthtv 0
Releases(v0.1.0)
Owner
Remisa Yousefvand
Math Lover
Remisa Yousefvand
βœ’ A self-hosted, cross-platform service to sign iOS apps using any CI as a builder

iOS Signer Service A self-hosted, cross-platform service to sign iOS apps using any CI as a builder Introduction There are many reasons to install app

null 459 Sep 16, 2021
A rest application to update firewalld rules on a linux server

Firewalld-rest A REST application to dynamically update firewalld rules on a linux server. Firewalld is a firewall management tool for Linux operating

Prashant Gupta 309 Sep 12, 2021
Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com

shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security br

Paul 3.3k Sep 23, 2021
πŸ”‘ A decentralized key derivation protocol for simple passphrase.

Throttled Identity Protocol (TIP) is a decentralized key derivation protocol, which allows people to obtain a strong secret key through a very simple passphrase, e.g. a six-digit PIN.

Mixin Network 25 Sep 17, 2021
A tool for secrets management, encryption as a service, and privileged access management

Vault Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please respo

HashiCorp 21.8k Sep 21, 2021
Telling tales on you for leaking secrets!

Squealer Telling tales on you for leaking secrets! Squealer scans a local git repository for secrets that are being leaked deep within the commit hist

Owen Rumney 109 Sep 7, 2021
How to systematically secure anything: a repository about security engineering

How to Secure Anything Security engineering is the discipline of building secure systems. Its lessons are not just applicable to computer security. In

Veeral Patel 6.1k Sep 16, 2021
Implementation of polynomial KZG proofs and 257-ary verkle trie

257-ary verkle trie Disclaimer: the code in this package is experimental. It can only be used in research and is not suitable for use in production. T

Evaldas Drasutis 3 Sep 6, 2021
Product Analytics, Business Intelligence, and Product Management in a fully self-contained box

Engauge Concept It's not pretty but it's functional. Track user interactions in your apps and products in real-time and see the corresponding stats in

Engauge 92 Sep 7, 2021
A Go Module to interact with Passbolt, a Open source Password Manager for Teams

go-passbolt A Go Module to interact with Passbolt, a Open source Password Manager for Teams This Module tries to Support the Latest Passbolt Community

Samuel Lorch 4 Sep 22, 2021
Cossack Labs 800 Sep 17, 2021
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

docker-slim 10.7k Sep 23, 2021
Pure Go implementation of the NaCL set of API's

go-nacl This is a pure Go implementation of the API's available in NaCL: https://nacl.cr.yp.to. Compared with the implementation in golang.org/x/crypt

Kevin Burke 509 Sep 8, 2021
SigStore WebPKI

fulcio - A New Kind of Root CA For Code Signing fulcio is a free Root-CA for code signing certs - issuing certificates based on an OIDC email address.

sigstore 118 Sep 17, 2021
Find secrets and passwords in container images and file systems

Find secrets and passwords in container images and file systems

null 1.1k Sep 24, 2021
Secure Remote Password library for Go

go-srp NOTE: This is a port of node-srp to Go. I recommend reading their README for general information about the use of SRP. Installation go get gith

Kong 37 Jul 15, 2021
password manager using age for encryption

page ====== password manager using age (https://age-encryption.org/) for encryption. encrypted secrets are files in the $PAGE_SECRETS/ directory that

null 4 Aug 25, 2021
Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own endpoint.

?? security-slacker Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own e

Niels Hofmans 13 Sep 3, 2021
ServerScan一款使用GolangεΌ€ε‘ηš„ι«˜εΉΆε‘η½‘η»œζ‰«ζγ€ζœεŠ‘ζŽ’ζ΅‹ε·₯具。

ServerScan β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•— β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•— β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—

Trim 921 Sep 19, 2021