21

I'm trying to use the secret-tool command to store a secret securely in a running headless CentoS 7.5.1804 Docker container, but can't seem to find which packages and/or configuration is necessary to make this work successfully.

Specifically, I want to be able to run this command:

printf "aPassword" | secret-tool store --label="test" foo bar

And be able to see that password by running:

secret-tool lookup foo bar

When I run the secret-tool store command, I get this:

printf 'aPassword' | secret-tool store --label="test" foo bar ** Message: Remote error from secret service: org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Secret.Collection' on object at path /org/freedesktop/secrets/collection/login secret-tool: No such interface 'org.freedesktop.Secret.Collection' on object at path /org/freedesktop/secrets/collection/login

I've followed the ArchLinux Gnome/Keyring wiki page and attempted to do the same on a CentOS Docker container via the following steps:

docker run --privileged -it centos:centos7.5.1804 /bin/bash # remainder of commands are in the container bash shell: printf 'search localhost.localdomain\nnameserver 8.8.8.8\nameserver 8.8.4.4' > /etc/resolv.conf yum -y update yum -y install sudo gnome-keyring libsecret dbus-x11 yum clean all && rm -rf /var/cache/yum export DISPLAY=“:0.0” eval "$(dbus-launch --sh-syntax)" mkdir -p ~/.cache mkdir -p ~/.local/share/keyrings eval $(gnome-keyring-daemon --start) export SSH_AUTH_SOCK

From what I can tell, this should provide everything needed (gnome-keyring daemon, dbus session and secret-tool + libsecret) to allow the secret-tool store command to succeed, but if fails.

What am I missing?

Improve this question
2
  • If the keyring is unprotected (by e.g. a password), then this seems kinda useless. An attacker who gets access could trivially extract the secret from the keyring. Commented Jun 11 at 18:02
  • @marcelm it was very useful for testing, especially for local scripting and automation tests. Naturally anything 'real' should never have unsecured password mechanisms. Commented Jul 2 at 18:03

2 Answers 2

Reset to default
19

A year later, and I was able to revisit this. After a full day of researching and trying various things, I was finally able to figure this out. I hope this answer saves others the days of productivity I lost!

The missing link in the chain was that a keyring has to be created first before entries can be saved to it. In this docker context, there is no user account, no login, etc - so no keyring that would have automatically been created by a desktop manager like Gnome.

As a result, you have to:

  1. First create the keyring manually and then
  2. Start the keyring daemon manually

When creating, the command requires a password from stdin to initialize the keyring. In this docker example, because it's just for testing and not actually used by a real user, I'm using a dummy password of a newline \n that is piped in to both the --unlock scenario (which creates a keyring the first time it's called) and the --start scenario which actually starts the daemon.

Here's the final working set of commands. Note that the official base centos docker image isn't used - systemd services must be running for DBus, so we must use the official centos/systemd image instead:

docker run --privileged -d -v /sys/fs/cgroup:/sys/fs/cgroup:ro --name centos-systemd centos/systemd docker exec -it centos-systemd /bin/bash # remainder of commands are in the container bash shell: yum -y install gnome-keyring libsecret dbus-x11 eval "$(dbus-launch --sh-syntax)" mkdir -p ~/.cache mkdir -p ~/.local/share/keyrings # where the automatic keyring is created # 1. Create the keyring manually with a dummy password in stdin eval "$(printf '\n' | gnome-keyring-daemon --unlock)" # 2. Start the daemon, using the password to unlock the just-created keyring: eval "$(printf '\n' | /usr/bin/gnome-keyring-daemon --start)"

Once this has been done, we can now store and lookup passwords:

[root@603a122f7555 /]# secret-tool lookup foo bar [root@603a122f7555 /]# printf "aPassword" | secret-tool store --label="test" foo bar [root@603a122f7555 /]# secret-tool lookup foo bar aPassword [root@603a122f7555 /]#
Improve this answer
1

Here are my commands on a headless VM of Ubuntu:

apt install dbus-x11 gnome-keyring libsecret # ~79MB export $(dbus-launch) eval "$(echo '\n' | gnome-keyring-daemon --unlock)" echo [email protected] | secret-tool store --label="main" email address echo $(secret-tool lookup email address) kill -9 $(pgrep -f gnome-keyring-daemon) # echo $(secret-tool lookup email address) # no longer gives password

It looks like the keyring will need to be unlocked in any script to retrieve the secrets.

The trick was really using the eval command which I thought was just for Docker. This is the error without that, which has no solution on the net including a couple GitHub projects.

"secret-tool: Cannot create an item in a locked collection"

EDIT, this only worked once. Even after using -r to restart the daemon, killing the processes and rebooting. I cant get any new secrets even with different names, nor retrieve the stored one.
Error "secret-tool: Cannot create an item in a locked collection"

Improve this answer
1
  • thanks a lot, this saved me endless hours of frustration. .works perfectly. Commented Sep 14, 2024 at 19:26

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.