I’m a heavy user of password managers and the DBUS Secret-Service API.
The linux kernel has native capability, it’s called the Kernel Key Retention Service, with new syscalls and a userspace command line tool called keyctl.
Here is information to use the Kernel Key Retention Service as password manager. Warning: most keyrings are not persistent.
Main types of keyring in keyctl
- User Keyring (@u): This keyring is created for every new process. It is the default keyring where keys are placed.
- Session Keyring (@s): This keyring is created when a new session is initiated. It is used to store keys that are valid for the duration of the session.
- Thread Keyring (@t): This keyring is associated with a specific thread. It is used to store keys that are valid for the duration of the thread.
- Process Keyring (@p): This keyring is associated with a specific process. It is used to store keys that are valid for the duration of the process.
See https://man7.org/linux/man-pages/man1/keyctl.1.html
Main types of keys in keyctl
- “user”: A general-purpose key type that supports any data. Goto choice.
- “logon”: A key type that is used for authentication purposes.
- “encrypted”: A key type that is used for holding an encryption key.
- “trusted”: A key type that is used for holding a key that can be used by the kernel but cannot be read back.
- “asymmetric”: A key type that is used for holding a public/private key pair.
See https://man7.org/linux/man-pages/man1/keyctl.1.html
Hands on
Add a secret supersecret called foobar in the session keyring, it returns the key id (here 968001699)
$ keyctl add user <key_name> <secret> @s
$ keyctl add user foobar supersecret @s
968001699Read the secret
$ keyctl pipe 968001699List keys in the session keyring
$ keyctl list @sCool features
Set a timeout on a secret
$ keyctl timeout <keyid>
$ keyctl timeout 312674399