|
| 1 | +# Keyring |
| 2 | + |
| 3 | +The keyring package supports macOS, Linux and Windows applications |
| 4 | +store, delete and retrieve secrets in a secure way. |
| 5 | + |
| 6 | +The goals are: |
| 7 | + |
| 8 | +- Implement the `store.Store` interface to be tightly coupled with the secrets engine |
| 9 | +- Support multiple platforms namely: Linux, macOS, Windows |
| 10 | +- Should be a standalone library |
| 11 | +- Support credentials of any data structure |
| 12 | + |
| 13 | +The `keyring` package is the successor of the [docker-credential-helpers](https://github.com/docker/docker-credential-helpers/). |
| 14 | + |
| 15 | +It solves a lot of the drawbacks of its predecessor, such as: |
| 16 | + |
| 17 | +- Generic credentials |
| 18 | +- Broader use cases (not just a registry credential store) |
| 19 | +- Native Go library |
| 20 | +- Bundles with your application binary |
| 21 | +- More secure |
| 22 | + |
| 23 | +## Linux |
| 24 | + |
| 25 | +Users running Linux with a Desktop Environment usually have access to the |
| 26 | +[`org.freedesktop.secrets`](https://specifications.freedesktop.org/secret-service-spec/latest/index.html) API |
| 27 | +via `gnome-keyring` or `kdewallet`. |
| 28 | + |
| 29 | +Usually the `pam_gnome_keyring.so` and `pam_kwallet5.so` would hook into PAM |
| 30 | +and automatically unlock the 'login' keyring once the user does a login to their system. |
| 31 | +If the 'login' keyring does not exist, it will be created using the user's login password. |
| 32 | +If the 'login' keyring is the first keyring created, it will be set as the default. |
| 33 | +For more information regarding `gnome-keyring` and PAM, please refer to the |
| 34 | +[GnomeKeyring documentation](https://wiki.gnome.org/Projects/GnomeKeyring/Pam) |
| 35 | + |
| 36 | +In the `keyring_linux.go` file, we attempt to use the `login` keyring or in terms |
| 37 | +of dbus terminology the `login collection`. If no such keyring can be found, |
| 38 | +it defaults finding the default keyring. |
| 39 | + |
| 40 | +To communicate with the `org.freedesktop.secrets` API, we are using `dbus`. |
| 41 | +It is a convenient way of communicating without needing any direct C library integration. |
| 42 | + |
| 43 | +At this point in time we have decided to integrate with [keybase/go-keychain](https://github.com/keybase/go-keychain) |
| 44 | +instead of implementing all of the `dbus` calls ourselves. |
| 45 | + |
| 46 | +The `keybase/go-keychain` library provides: |
| 47 | + |
| 48 | +- Secure cryptographic communication over the `dbus` connection |
| 49 | +- Easy to use API |
| 50 | + |
| 51 | +Some of the drawbacks are: |
| 52 | + |
| 53 | +- Relies on a forked archived [keybase/dbus](https://github.com/keybase/dbus) library |
| 54 | +- Low contribution activity |
| 55 | + |
| 56 | +In future we might update the [keybase/dbus](https://github.com/keybase/dbus) with |
| 57 | +a more up to date and maintained version, such as [godbus/dbus](https://github.com/godbus/dbus). |
0 commit comments