Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for keyrings.cryptfile #188

Closed
firefart opened this issue Aug 16, 2023 · 4 comments
Closed

Support for keyrings.cryptfile #188

firefart opened this issue Aug 16, 2023 · 4 comments
Labels
documentation fixed

Comments

@firefart
Copy link

Since keepass_jeepney is now non functional (#187) it would be nice to support https://pypi.org/project/keyrings.cryptfile/ as an alternative. There is an example in the notes to take the password from an environment variable which might be an alternative solution for headless systems
@genotrance
Copy link
Owner

There have been some discussions on this - #142, #143.

Px supports keyrings.alt.file - not as secure but at least a fallback. I don't remember trying keyrings.cryptfile. I'll look into it as the option for older RHEL but it might drag in more dependencies (pycryptodome?) - let's see.

Frankly, if there's a simpler way to save passwords on Linux that avoids keyring, please let me know. Most of the headaches in Linux is around saving the password today.

@genotrance genotrance added the bug label Oct 26, 2023
@genotrance genotrance mentioned this issue Nov 25, 2023
Closed
@genotrance
Copy link
Owner

genotrance commented Nov 25, 2023
edited
Loading

I spent some time looking into this. SecretStorage now depends on jeepney directly so there's no need for keyring_jeepney. This also makes it easier for headless systems without a GUI. There are still cases where an alternative is needed though - e.g. RHEL + derivatives.

While keyrings.cryptfile is good to securely save the proxy password, it requires the user to provide a keyring password to encrypt the proxy password. This means Px will now need to know this keyring password to access the proxy password at runtime. Either that or it will prompt the user to type out the password which might not be practical if Px is expected to start behind the scenes.

Another backend is sagecipher which uses ssh key fingerprints to encrypt/decrypt the keyring but now Px needs to be configured with this fingerprint.

However, both these backends and some others allow the user to specify the keyring password via an environment variable so that apps like Px can simply call keyring without having to deal with the keyring password.

Considering these backends can be installed by the user and automatically loaded by keyring, I'm not adding any of them to the Px dependency list. Also, the fact that that keyrings.alt is really deprecated and insecure, I am removing it from the Px dependency list as well. Going forward, only keyring will be a dependency within Px. Users can install alternatives when needed.

This won't work for the Linux Nuitka binaries though since it won't allow installing anything but is a small use case (340 downloads in 9 months). Regardless, passwords are a pain so Px will also add support to load passwords and other information directly from environment variables and .env files.

@genotrance genotrance mentioned this issue Nov 29, 2023
Closed
@genotrance
Copy link
Owner

This is documented in v0.9.0 still in development - see branch.

@genotrance
Copy link
Owner

v0.9.0 has been released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@firefart @genotrance