msgraph-cli icon indicating copy to clipboard operation
msgraph-cli copied to clipboard
verified publisher icon microsoftgraph

Investigate additional secrets providers for Docker

Open calebkiage opened this issue 3 years ago • 6 comments

Currently, the gnome-keyring secret service provider is used to provide encryption support to libsecret. However, it requires the additional CAP_IPC_LOCK Linux capability to work see gkd-capability.c. This means that users have to add that capability to their docker container when running the image.

Investigate other secret service providers to try and remove this requirement.

Ability to run in a headless (no desktop) environment is an important requirement.

calebkiage avatar Mar 27 '22 13:03 calebkiage

The container cannot be run as a non-root user either because docker doesn't support adding capabilities for non-privileged users. See https://training.play-with-docker.com/security-capabilities

calebkiage avatar Aug 25 '22 11:08 calebkiage

I have found it to simply work with KeePassXC on NixOS https://github.com/NixOS/nixpkgs/pull/314619#issuecomment-2131313596

All I had to do was adding libsecret runtime dependency, I don't think Nix/NixOS is doing anything funny otherwise, so this should work on all distros just the same.

nazarewk avatar May 25 '24 15:05 nazarewk

by the way this is actually called Freedesktop Secret Service API, which gnome-keyring (I think) pioneered and happens to implement alongside others:

  • KeepassXC, KWallet, KSecretService you already mentioned
  • implementation in Python utlizing pypass (client for password store) https://github.com/mdellweg/pass_secret_service
  • implementation in Go https://github.com/yousefvand/secret-service

nazarewk avatar May 28 '24 08:05 nazarewk

We're having trouble specifically with docker because a lot of secret providers require pulling in xorg and other UI library dependencies. It seems like many were developed for desktop environments. I'll take a look at the libraries you've mentioned to see what system dependencies they need.

calebkiage avatar May 28 '24 08:05 calebkiage

Yeah, I found it extremely hard to search internet for the Secret Service server-side implementation, the results are swamped with tools and libraries querying the API, but almost none actually implement it. I'd be happy to hear about the others you encounter.

You might have some luck with https://github.com/yousefvand/secret-service , last time I checked it was implemented purely in Go and uses simple environment variable as master password for on-disk files.

nazarewk avatar May 28 '24 08:05 nazarewk

cross-posting https://superuser.com/questions/536433/what-applications-provide-org-freedesktop-secrets-service

nazarewk avatar May 29 '24 12:05 nazarewk