Essentially there are two similar key management systems used in Linux operating systems – the Gnome Keyring and the KDE Wallet system. The first is found in the Gnome desktop environment, and this stores a central database (the keyring) of passwords, certificates and encryption keys for various services. This can be accessed by the user through an interface, and also by a range of other Gnome applications like email clients and the network manager.
The KDE Wallet is the counterpart of the Gnome Keyring, and performs the same functions. It’s present on most KDE desktops and is accessed by KDE applications like Kontact and Konqueror, while the K Wallet Manager provides the interface for users to manage the database objects.
In 2009 developers began working on the Secret Service Application Programming Interface, which is a revision of the Gnome Keyring and KWallet systems, and should enable applicatons across a range of Linux-based desktop environments to use either. This would be done through a common API that allows a user/application to encrypt, store and request objects using either the Gnome Keyring or KWallet as the repository. There are also two daemons for this – ksecretserviced and gnome-keyring-daemon.
Current Gnome Keyring System
The Gnome Keyring is a fairly secure method of storing keys, certificates and passwords. A master password is hashed using the SHA-256 algorithm, and the database file is encrypted using 128-bit AES with the hash value as the encryption key. This is very similar to the method proposed by the Secret Service API.
In addition to protecting keys while the computer is inactive, the Gnome Keyring ensures the key database can’t be recovered from the swap partitions, which is often a potential weakness in other key management systems. It’s also designed to ensure keys can’t be read by other users who happen to be logged into the same machine.
The potential threat comes from malware that’s somehow been installed and authorised to read from the keyring. As the primary database is unencrypted when the user logs in, the user may want to create a secondary database which remains encrypted until needed.