Friday, July 8, 2011

Gnome Keyrings: To Serve and Protect

You have no real clue about keyrings? Me neither...until just recently. They seem to live a more hidden existence, as long as they not become apparent through using a wifi connection, the password storage feature of Chrome/ium, or tools like CloudSN.

But they are not only able to annoy you by asking for your password each time you use one of them, they can also serve each other -and therefore you- by holding the keys to unlock each other, and therefore reducing the number of password queries.

  • You are, like most users, auto-logging in: No password query.
  • But you are using a wifi connection: One password query.
  • And you are also using the password storage feature of Chrome/ium: Another password query.
  • Or you are using the password storage feature of Firefox and/or Thunderbird, with the master password set, for obvious security reasons: Another one or two password queries.
  • Or you are using CloudSN or a similar tool to stay in touch with GMail or other services: One more password query.
So, you are considering yourself clever for not having to enter a password upon login, but you are instead being asked for at 2 passwords during your session, no, actually, most probably right at the start of a session, because two of the above services are initialized upon login.

So, what we gonna do now is consolidate all of these keyrings down to one single password query upon login, and if you didn't use a master password for Firefox and/or Thunderbird before, out of the wish to spare you from entering a password, this will, also combined with the password query upon login, ramp up the security of your system considerably.

However, unlocking all needed keyrings only with your login password does, of course, reduce the security in that aspect. That's why I recommend setting a not too easy password here. Also, I might come to presume that you are using or would use the same password for all of these services anyway.

Firefox / Thunderbird

Both of these don't support Gnome keyrings natively, so we need to install an extension for this:

Update 8/17/2011: With the release of version 6 of both Firefox and Thunderbird, this extensions doesn't work anymore. Moreover, it's not even to download anymore, but I don't know since when. Hopefully, it will be upgraded, or there will be an alternative.

Update 8/25/2011: After checking for any sign of movement again, I just found a location from where one can still download the latest version - which, as I said before, doesn't work with latest versions of Firefox and Thunderbird, but it's, of course, still working for those who didn't upgrade to them yet.

Follow the link below and then click on "raw" beneath the file details to download the XPI file:

Or just use the direct download link:

Btw., no movement in sight yet for an update to make this extension work with the latest versions of Firefox and Thunderbird, or another way to integrate them into Gnome Keyring, but you should keep an eye on the GIT below, as the author has forked the "mdlavin" version, and there is also an updated version available to download for at least AMD64 systems, but I don't think that it works with the latest versions of FF and TB yet, as the build date suggests:

This extension creates a keyring called "mozilla". However, it doesn't migrate already stored passwords, so you have to store the concerning credentials once again. Notice that, if you don't remember some of these, you can disable the option "Use a master password" at any time, and you get access to the credentials already stored before. Then just switch it on again.

  1. Install the extension described above.
  2. Restart Firefox/Thunderbird.
  3. Make sure the option "Use a master password" is enabled under "Preferences > Security".
  4. The next time when you are asked to enter your password to unlock the newly created "mozilla" keyring, enter your set up password, then click on the arrow beneath "Details" right below the password field and tick the box beneath "Automatically unlock this keyring whenever I'm logged in", as shown in the screenshot above.
Chrome/ium, CloudSN, etc.

Many applications, like those stated above, already support Gnome keyring natively. So, for these applications, the procedure to make them unlock their used keyrings automatically is fairly simple: The next time when you are asked for your password to unlock the respective keyring, just handle the dialog the same way as described above.

For Chrome/ium and many other applications, it's the keyring "default".

For CloudSN, it's the keyring "cloudsn".


Just since today (8/29/2011) there is a plugin available for Pidgin, to enable the Gnome Keyring integration for it as well. As often, there is only a package available for the latest version of Ubuntu, in this case Natty Narwhal 11.04, but - provided that you are running at least version 2.7.x of Pidgin - you can install it in previous versions as well. I've just done so with my Lucid 10.04.

To install it, follow these steps:
  1. Open "System > Administration > Software Sources" in classic Gnome, or in Unity, search the Dash for "Software Sources". Under the "Other Software" tab, click on "Add" and enter this line:
    deb natty main
  2. Upon closing Software Sources you will be asked to "Reload" the package information database, then do so.
  3. Install the plugin by running this command in the Terminal:
    sudo apt-get install pidgin-gnome-keyring
  4. If already running, restart Pidgin, otherwise just start it. Then enable "Gnome Keyring" under "Tools > Plugins".
  5. Restart Pidgin. Upon startup, you will be asked for the login passwords of every messaging service you have set up, just enter them and tick the option "Save password", obviously.
  6. Restart Pidgin again. Now, if you check the content of the file "~/.purple/accounts.xml", your login passwords shouldn't be in there anymore. Yay!
This plugin, too, uses the keyring "default" to store the passwords.



To administer the created keyrings, open up "Passwords and Encryption Keys", it's under "Applications > Accessories" in classic Gnome, or in Unity, type its name into the Dash. You will be presented with the window shown in the first screenshot.

There you can:
  • Create / delete keyrings.
  • Unlock / lock keyrings.
  • Change the passwords of keyrings.
  • Delete password sets.
  • View the details of password sets.
  • Change passwords.

Related Posts:

Security , System