Keyring, Secret Service libraries


#1

Hello all,

I’ve completed a first go at simplifying handling keyrings in Rust. So far, this includes:

  1. secret-service-rs, a library for interfacing with linux keychains implementing the Secret Service API (e.g. gnome keyring and kwallet).
  2. keyring-rs, a (soon-to-be) cross-platform library for managing passwords, and which uses secret-service-rs as the linux backend.

Inspiration was python keyring. At work, we have a tool which uses it, and I want to be able to rewrite it in Rust :slight_smile:

####Secret Service
secret-service-rs is currently feature-complete. I will be doing a refactoring pass soon, though, and would be happy to get feedback. @YBRyn in particular mentioned that it would be good to look over the crypto stuff before publishing. Also, much thanks to @willi_kappler for looking over my code and giving guidance.

I’d also like to mention that I really enjoyed the documentation process, rustdoc was great! And the error-handling section of the rust book made writing custom errors straightforward (and fun?).

Keyring

As for keyring-rs, it’s still half-baked. The most glaring omissions are lack of OSX and Windows support. I’ve had a look at winapi, but it’s a bit foreign to me as I don’t develop on Windows. If anybody could give me some direction on Windows Credentials, that would be great.

For OSX support, I was looking at security-framework, but I had a hard time figuring it out. If anybody could let me know that’s the right direction to go to interact with OSX Keychain, I’ll dig a little deeper. (For reference, python keyring OSX backend appears to pipe data in and out of the security utility).

Finally, I’m trying to use conditional compilation, but could be doing it incorrectly or weirdly.

Thanks!

Just want to say again that I’ve had great interactions with the Rust community, and I really enjoy programming in Rust.


#2

Nice I am working on a keyring service on linux write in rust, this will be great for testing and good for inspiration :smiley:


#3

Any progress on this? If so I have a great project for rust based on such a library.


#4

The last few months have been a bit of turmoil for me, but I’m planning on finishing this library in the next couple of weeks (after getting access to a Mac). If you have questions or suggestions, feel free to discuss with me here or on github issues.


#5

Latest keyring (0.3.0) now has support for windows, osx, and linux.


#6

piping to/from security isn’t a terrible way to do it, but the “official apple approved way” is through the security api, and if you want to do the fancy thing where you do per application ACL stuff you’ll need to ignore the warning from apple and use SecKeychainItemCreateFromContent


#7

Hi!

There’s currently a pull request in keyring to add the functionality that you mention, it’s only waiting on a pull request for password support in osx security-framework.


#8

Thanks for letting me know, it looks like that PR has been pending for a little while, anything I can do to help it along?


#9

Not sure what you can do, but I saw that you gave it a nudge, thanks!


#10

@hwchen

I am about to try and to use keyring-rs on Windows. It seems easy to use and setting and getting passwords are easy. Unfortunately, I wasn’t able to find more information about the underlying Windows vault. Could you point to some recent documentation and what’s the name of the Windows Vault in Windows 10.

I try to figure out how safe it can be`?


#11

I’m not an expert on the Windows vault/credential system, so if somebody knows more please correct me and/or add to my comment.

The Windows Credential Manager is the interface through which users can manage secrets like passwords. The secrets themselves are stored in the Windows Vault. I believe that this is true from Windows 7 onwards (I tested on Win7). And, from my understanding, Windows uses this vault to store system and network credentials, including IE passwords.

With some googling, I wasn’t able to find good documentation on Microsoft’s site.

Some links:

https://support.microsoft.com/en-us/help/4026814/windows-accessing-credential-manager

https://www.digitalcitizen.life/credential-manager-where-windows-stores-passwords-other-login-details

https://msdn.microsoft.com/en-us/library/windows/desktop/aa374789(v=vs.85).aspx

https://security.stackexchange.com/questions/119765/how-secure-is-the-windows-credential-manager indicates that windows credential manager may not be that safe. However, this is the windows backend that python’s keyring uses, so I’m not sure that there’s a better windows option for easy cross-platform compatibility at the moment.


#12

Thanks for the quick reply and your explanation. I found a gui to see what is in there. Here is a screenshot (in German).

It’s seems to be okay. It doesn’t show the password (Kennwort) and I can change the password there but I can’t read it anywhere.

Personally I think it is safe enough to store some sensible information, e.g. Pinboard API token, there. That is in my opinion safer than writing that token in the source code or in a unencrypted settings file.


#13

Great, hope it works out well for you. Feel free to raise any issues in the github repo