What is Gnome Keyring / Seahorse and why it's storing my passwords in plaintext?

7

6

I'm using Fedora 22 with the Gnome environment (but I have i3 window manager too) and I get a great surprise when I have found the existence of a tool called Gnome Keyring, formerly know as Seahorse.

Full text:

I'm currently increasing my security using a password manager and two-factor authentication for everything, I also have disabled browser password managers and cleaned all my passwords from Chrome (Beta) and Firefox. My default browser is Chrome, but I don't use it anymore (just for Netflix and Hangouts), the browser I use today is Firefox.

I was really surprised when I discovered Gnome Keyring, a tool that I never heard about and that was saving all my passwords in PLAINTEXT without my consent.

TL;DR:

  • What is Gnome Keyring / Seahorse?
  • Why it's storing passwords in plain text, allowing anyone to see passwords?
  • How can I disable this from my computer? I never enabled that.

The most interesting question: why it's storing passwords without my consent?

Fernando Paladini

Posted 2015-09-07T13:11:16.993

Reputation: 721

Why -1? I was nervous, sorry if I have write some bad words. – Fernando Paladini – 2015-09-07T13:19:51.473

4It's common decency to not swear. Especially when you're asking people to help you... No more said. – Kinnectus – 2015-09-07T17:18:24.690

It is still known as Seahorse. – jarno – 2019-09-22T09:06:15.450

Answers

19

What is Gnome Keyring

It's a password storage system – exactly like the one inside Chrome, and exactly like the one inside Firefox, except it's system-wide and it's encrypted by default.

This is in fact why Chrome uses it – Chrome's own password storage is not encrypted. GNOME Keyring is a system component, knows your login password, and can use it as the encryption key for everything else. Chrome is just an app and doesn't have any keys it could use.

In KDE, Chrome uses KWallet for the same purpose. (On Windows, I think it has its own database, but asks the OS to hold just the "master key".)

What about Firefox? Well, technically Firefox's password database is encrypted. However, the encryption key is stored in a file right next to the database meaning other programs can easily decrypt the passwords anyway. Without a system keyring, password storage is like writing the PIN code on your credit card.

Seahorse?

Seahorse is the management app for GNOME Keyring.

Why it's storing passwords in plain text,

It's not. On disk they are encrypted (using your Linux password). Of course they must be decrypted in memory, so that programs could use them. Chrome can't autofill a password unless it can access that password in plaintext.

(Note again that GNOME Keyring encrypts its password storage, but Chrome itself does not.)

allowing anyone to see passwords?

Do you give your Linux password to anyone? If not, then anyone cannot see the keyring contents without your login password.

How can I disable this from my computer?

You can start Chromium with the --password-store=basic option. Note that with this option you would lose any encryption you had. The passwords would be stored in a SQLite3 database ~/.config/chromium/Default/Login Data, in plain text.

The most interesting question: why it's storing passwords without my consent?

You gave your consent when Chrome asked "Do you want to save this password?" and you clicked "Save" in the popup. Whether the password is hidden inside Chrome's own database or a common system one is irrelevant.

user1686

Posted 2015-09-07T13:11:16.993

Reputation: 283 655

Thank you, that's all I needed. But you didn't answer how can I disable, at all. I don't use Chromum anymore and I still have a lot of passwrods stored in Gnome Keyring. How can I delete all of them? – Fernando Paladini – 2015-09-07T13:24:19.707

1rm ~/.local/share/keyrings/login.keyring – user1686 – 2015-09-07T13:24:54.157

1Also note that the situation is the same with Firefox, Opera, or really any browser ever. – user1686 – 2015-09-07T13:26:46.523

Remove this file didn't work. Any other tip? – Fernando Paladini – 2015-09-07T13:27:44.113

I don't use a desktop environment, and gnome keyring stores my passphrases in the clear in a file called ~/.gnome2/keyrings/default.keyring. I accidentally clicked store to password manager when gpg's pinentry program prompted me for a passphrase. I think if I'd used gdm or something instead of startx, it might have encrypted things with my password. I agree with the original poster that gnome keyring can give people who don't expect it a nasty surprise. – user3188445 – 2016-09-19T07:28:55.647

If you don't use gdm (or otherwise invoke pam_gnome_keyring), I'm fairly sure gkr asks you to choose the encryption password when used for the first tile. – user1686 – 2016-09-19T11:49:40.480

0

in my machine, the file is "~/.gnome2/keyrings/login.keyring".

You can use locate login.keyring to find it.

utopic eexpress

Posted 2015-09-07T13:11:16.993

Reputation: 43

Asked: 2015-09-07T13:11:16.993

Viewed: 12 871 times

Active: 2017-08-29T08:41:49.413