Oo7
Related articles
oo7 is a D-Bus Secret Service provider written in Rust. It implements org.freedesktop.secrets, the freedesktop.org Secret Storage API, and is intended as a lightweight, cross-desktop replacement for gnome-keyring.
oo7 is developed as part of the linux-credentials project and is the native secret service for the COSMIC desktop environment.
Security
Protection against malicious application
Any application that can communicate with the session D-Bus bus can read any secret stored in the keyring. Only sandboxed applications (e.g. via Flatpak) have their access restricted.
See GNOME/Keyring#Protection against malicious application for the same considerations that apply to all org.freedesktop.secrets providers.
Installation
Install the oo7 package. It provides org.freedesktop.secrets and conflicts with gnome-keyring , so only one can be installed at a time.
libsecret should also be installed so that applications can access the keyring through the standard libsecret API.
The package includes the following components:
oo7-daemon— the Secret Service daemon implementingorg.freedesktop.secretsoo7-portal— an XDG Desktop Portal backend for sandboxed applicationsoo7-cli— command-line interface to store and retrieve secretscargo-credential-oo7— a Cargo credential provider for registry authenticationpam_oo7.so— a PAM module for automatic keyring unlocking at login
Starting the daemon
The daemon is started automatically via systemd user service on demand through D-Bus activation. To enable it to start at login, enable the oo7-daemon.service user unit:
$ systemctl --user enable --now oo7-daemon.service
Verify it is running:
$ systemctl --user status oo7-daemon.service
Manage using GUI
You can manage keyring contents using Seahorse; install the seahorse package. Seahorse uses libsecret and works with any org.freedesktop.secrets provider, including oo7.
Using the keyring
The PAM module pam_oo7.so captures the user's login password during authentication and sends it to oo7-daemon via a Unix socket ($XDG_RUNTIME_DIR/oo7-pam.sock), unlocking the login keyring automatically.
PAM step
When using a display manager, edit the appropriate PAM configuration file for your login manager.
For greetd (e.g. cosmic-greeter):
/etc/pam.d/greetd
#%PAM-1.0 auth required pam_securetty.so auth requisite pam_nologin.so auth include system-local-login auth optional pam_oo7.so account include system-local-login session include system-local-login session optional pam_oo7.so
For console-based login (using getty):
/etc/pam.d/login
#%PAM-1.0 auth required pam_securetty.so auth requisite pam_nologin.so auth include system-local-login auth optional pam_oo7.so account include system-local-login session include system-local-login session optional pam_oo7.so
The auth optional pam_oo7.so line captures the verified password, while session optional pam_oo7.so sends it to the daemon over the PAM socket.
Automatically change keyring password with user password
Append password optional pam_oo7.so to /etc/pam.d/passwd:
/etc/pam.d/passwd
#%PAM-1.0 auth include system-auth account include system-auth password include system-auth password optional pam_oo7.so
Unlocking without PAM (systemd-creds)
If you do not use a display manager with PAM, the daemon can automatically unlock the keyring using a credential stored in the user's systemd credential store. This requires systemd v258 or newer.
First, create an encrypted credential:
$ mkdir -p ${XDG_CONFIG_HOME:-~/.config}/credstore.encrypted
$ systemd-ask-password -n | systemd-creds encrypt --user --name=oo7.keyring-encryption-password - ${XDG_CONFIG_HOME:-~/.config}/credstore.encrypted/oo7.keyring-encryption-password
The service file already includes ImportCredential=oo7.keyring-encryption-password, so the daemon will load and decrypt the credential automatically at startup.
Unlocking manually
To unlock the keyring manually from the command line:
$ oo7-cli unlock -s "your_password"
Alternatively, start the daemon with the --login flag:
$ /usr/lib/oo7-daemon --login --replace
The password is read from stdin.
XDG Desktop Portal
oo7 includes an XDG Desktop Portal backend (oo7-portal) for sandboxed applications (e.g. Flatpak) to access secrets. However, the shipped portal file declares UseIn=gnome only, so it must be configured for other desktop environments.
Configuring user-level Secrets Portal
Create a portals.conf override for your desktop environment. For example, for COSMIC ($XDG_CURRENT_DESKTOP=COSMIC):
~/.config/xdg-desktop-portal/cosmic-portals.conf
[preferred] org.freedesktop.impl.portal.Secret=oo7-portal
For Sway:
~/.config/xdg-desktop-portal/sway-portals.conf
[preferred] org.freedesktop.impl.portal.Secret=oo7-portal
Then restart the portal:
$ systemctl --user restart xdg-desktop-portal
Modifying oo7-portal.portal
Alternatively, add your desktop environment to the UseIn key in /usr/share/xdg-desktop-portal/portals/oo7-portal.portal. Note that this modifies a package file and will be overwritten on package upgrades.
Tips and tricks
CLI usage
The oo7-cli command provides access to the keyring from the terminal.
Store a secret (read from stdin):
$ echo "my_secret_value" | oo7-cli store "My Label" key1=value1 key2=value2
Retrieve a secret:
$ oo7-cli lookup key1=value1
List all items:
$ oo7-cli list
Git integration
oo7 works with Git's libsecret credential helper, since libsecret uses the org.freedesktop.secrets D-Bus API.
Configure Git to use the libsecret helper:
$ git config --global credential.helper /usr/lib/git-core/git-credential-libsecret
Cargo credential provider
oo7 provides a credential helper for Cargo registry authentication:
$ cargo login --credential-provider oo7
Locking the keyring
$ dbus-send --session --dest=org.freedesktop.secrets \ --type=method_call \ /org/freedesktop/secrets \ org.freedesktop.Secret.Service.Lock \ array:objpath:/org/freedesktop/secrets/collection/login
GnuPG integration
If you use Seahorse, you may want to set the GNOME 3 pinentry for passphrase prompts:
~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-gnome3
Renaming a keyring
Keyring files are stored in ~/.local/share/oo7/. The display name can be changed by editing the display-name value in the keyring file.
Troubleshooting
Resetting the keyring
Stop the daemon and remove the keyring data:
$ systemctl --user stop oo7-daemon.service $ rm -rf ~/.local/share/oo7/
This permanently deletes all stored secrets. The keyring will be recreated on the next daemon start.
No Process Capabilities, Insecure Memory Might Get Used
The daemon may log a warning about missing process capabilities, meaning secrets could be swapped to disk. To grant memory locking permissions:
# setcap cap_ipc_lock=+ep /usr/lib/oo7-daemon
Keyring is not locked when session is locked
Like other Secret Service providers, the keyring is not automatically locked when the desktop session is locked. Passwords remain in memory, which could be extracted via a DMA attack.