This project is a culmination of scripts and plugins to help use gnome-keyring as a single password store for various apps.
Note: Most of the plugins provided expect the bin/keyring script included in the repository to be available in your path.
This script allows you to perform some basic operations on your keyring:
Usage: keyring [options] <command> [command args] Commands: list list all stored keys set [--2factor] [--smtp] [<key>] set a key when --smtp is supplied set a smtp password (msmtp format) get/password [-c/--clipboard] [--smtp] [--hash [--salt]] [--pbkdf2] <key> get the password for the given key prompt [-p/--paste] opens a gui prompt to get the password for a key. delete [--smtp] <key> delete the entry for the given key username <domain> get the username for the given domain link <src_key> <dest_key> [<dest_key> ...] link one or more keys together Note that this is a feature unique to this script and won't be supported by other programs reading directly from gnome-keyring. Options: -h, --help show this help message and exit -k KEYRING, --keyring=KEYRING the keyring to use (default: login) --smtp when used with the get, set, or delete commands, use the msmtp format --hash=HASH run the password through the specified hash before outputting it --salt combined with --hash, the key will be used as a salt --pbkdf2 use pbkdf2 with optional --hash and --salt to hash the password for output -t TEMPFILE, --tempfile=TEMPFILE write get/password/username to a tempfile (deleted 1s after creation) -c, --clipboard write get/password/username to a clipboard (cleared 10s after being set). Requires xclip -p, --paste when used with 'prompt', paste the result password into the currently focused field. Requires xdotool --2factor indicates that the key to set uses two factor authentication. This indicator is currently only used by the 'prompt' command where a subsiquent dialog will prompt you to enter your temp code and that value will be appended to your password. This feature is probably only useful for a small number of sites.
A qutebrowser userscript is provided which can be used to populate username/password fields on web site login forms by pulling the information from the keyring based on the current domain.
To install this userscript you can either copy or symlink
qutebrowser/userscripts/keyring to your
You can then update
~/.config/qutebrowser/config.py to add an alias for the
c.aliases['keyring'] = 'spawn --userscript keyring'
After you've installed the userscript, the next step is to store your credentials
for a domain in the keyring using the format
username@domain where username
can be an email address if necessary:
./bin/keyring set firstname.lastname@example.org ./bin/keyring set email@example.com@somesite.com
When deciding what domain to suffix the key with, please be aware that the userscript with start with the full domain name and then strip off subdomains until it finds a username or reaches the base domain, which it assumes is a domain name with one '.' in it (eg: site.com, site.org, etc):
www.site.com: will try www.site.com, then site.com
Once you've added your credentials for a given domain to the keyring, you can
then navigate to the domain's login page and simply run
:keyring and the
username/password fields should be populated, allowing you to then manually
submit the form.
An irssi plugin is provided allowing you to authenticate all or individually configured accounts using gnome-keyring.
You can install the plugin by copying or symlinking the irssi/scripts/keyring.pl file to your irssi scripts directory (~/.irssi/scripts) and then adding a corresponding load line to your irssi startup file (~/.irssi/startup):
After installing the keyring.pl plugin, you then need to create a
in your irssi config directory (~/.irssi/login) with a list of connection
commands, one per line, where the special
<password> token is replaced with
the password obtained from the keyring.
Here is an example file to authenticate a freenode account and a google talk account:
connect irc.freenode.net 6667 <password> mynick xmppconnect -host talk.google.com firstname.lastname@example.org <password>
Note that if the actual key used in the keyring for that account differs from
the username specified in the connection string, you can use the
<password:key> syntax to specify the key to use when looking up the
xmppconnect -host talk.google.com email@example.com <password:firstname.lastname@example.org@irssi>
Once you've created the login file, you can then use the
command in irssi to authenticate all or individual accounts:
/keyring /keyring username
Similar to using
/names in a channel, supplying the special username
/keyring will print a list of available usernames:
This feature can also be used with irssi's
/set command if you have a
sensitive setting value. Any lines in your
login file in the form of:
set some_var <password>
Will use the variable name (
some_var in this example) as the keyring key to
lookup, and will substitute in the retrieved value to be set on that variable in
The keyring python module included at bin/keyring can also be used in conjunction with offlineimap.
The first step is to set the
pythonfile setting in your ~/.offlineimaprc
pythonfile = /path/to/keyring/bin/keyring
Then for each of your email repository configs in your ~/.offlineimaprc, you
can set the
remotepasseval setting to pull the password from the keyring:
remotepasseval = Keyring().get('email@example.com')
When configured using
--with-gnome-keyring, msmtp supports pulling
credentials from gnome-keyring. The only caveat is that msmtp requires that the
credentials be stored in a very specific format in the keyring. To store keys in
the proper format, the bin/keyring script provides a
--smtp option to the
set command which will prompt you for the appropriate values:
./bin/keyring set --smtp
A completion script is available to ease use from command line. Copy it in /etc/bash_completion.d or source it to make completion available.
For other programs the keyring script provides a
prompt command which will
open a dialog (pygtk) where you can enter the key to use and the keyring script
will put the resulting password into your clipboard for 10 seconds during which
time you can paste it into the password field of whatever app you are using:
If you would like the paste step to be performed for you, you can supply the
--paste argument. Be careful though since this command cannot determine if the
currently focused input is a text field or not, so it would paste into a clear
text field exposing your password to anyone watching over your shoulder.
./bin/keyring prompt --paste
You can create a mapping to this command in your preferred window manager to provide easy access to your keyring.