KeepassXC as Key Ring Manager

 _  __                                     __  __   ___
| |/ /  ___   ___   _ __   __ _   ___  ___ \ \/ /  / __|
| ' <  / -_) / -_) | '_ \ / _` | (_-< (_-<  >  <  | (__
|_|\_\ \___| \___| | .__/ \__,_| /__/ /__/ /_/\_\  \___|
                   |_|


 __ _   ___
/ _` | (_-<
\__,_| /__/


 _  __
| |/ /  ___   _  _
| ' <  / -_) | || |
|_|\_\ \___|  \_, |
              |__/

 ___   _
| _ \ (_)  _ _    __ _
|   / | | | ' \  / _` |
|_|_\ |_| |_||_| \__, |
                 |___/

 __  __
|  \/  |  __ _   _ _    __ _   __ _   ___   _ _
| |\/| | / _` | | ' \  / _` | / _` | / -_) | '_|
|_|  |_| \__,_| |_||_| \__,_| \__, | \___| |_|
                              |___/

╔─*──*──*──*──*──*──*──*──*──*──*──*──*──*──*──*──*──*──*──╗
║1   ..................................................   1║
║2*  ..................................................  *2║
║3   ..................................................   3║
║1   ................Posted: 2025-10-15................   1║
║2*  Tags: sysadmin linux security debian window_maker   *2║
║3   ..................................................   3║
║1   ..................................................   1║
╚──────────────────────────────────────────────────────────╝

You can use KeepassXC[1] as your "key ring manager," specifically your *SSH
Agent* and *Secret Service Integration*.

I am writing from the perspective of a Window Maker[2] user. This was tricky for
me because nothing else I tried seemed to integrate well into Window Maker, yet
I was already using KeepassXC.

# Disable Gnome Keyring Daemon (if you have it)

I honestly recommend just removing the Gnome and KDE keyring managers because
you may keep running into issues.

Kill the Gnome Keyring Daemon:

```
pkill -f gnome-keyring-daemon || killall gnome-keyring-daemon 2>/dev/null || true
pgrep -a gnome-keyring-daemon || echo "no gnome-keyring running"
```

This might work to permanently disable:

```
systemctl --user stop gnome-keyring.service gnome-keyring-secrets.service
gnome-keyring-ssh.service gnome-keyring-gpg.service 2>/dev/null || true

systemctl --user mask gnome-keyring.service gnome-keyring-secrets.service
gnome-keyring-ssh.service gnome-keyring-gpg.service
```

UPDATE: honestly, I just went ahead and uninstalled the Gnome Keyring manager
and uh Seahorse or whatever it's called, entirely. It kept finding its way back
into hijacking my secrets/key manager.

# Set up KeepassXC SSH Agent

Prepare the `SSH_AUTH_SOCK` environment variable (in y our `~/.bashrc` or
`~/.zshrc` or whatever):

```
export SSH_AUTH_SOCK=$(ls /tmp/ssh-*/agent.* 2>/dev/null | head -n1)
```

Reload with `source ~/.zshrc` for example. You can check the change:

```
echo $SSH_AUTH_SOCK
ssh-add -l
```

In KeepassXC go to settings -> SSH Agent:

* Enable SSH Agent integration (checked)
* `SSH_AUTH_SOCK` override might be set to something like
 `/run/user/1000/ssh-agent.socket`, but the env var trick I did just detects
 the value (path changes each login?)

Now you can actually keep your keys in KeepassXC, including their passwords, and
KeepassXC will handle it for you. For example, add a new entry to the database:

* Enter the password for the key in the "password" field.
* Attach the key under *advanced*
* Under *SSH Agent* section, tick "add key to agent when database is
 opened/unlocked" and for private key actually select the key you attached in
 the *attachment* drop down.

# KeepassXC Secret Service Integration

In KeepassXC *settings* -> *Secret Service Integration*:

* Enable KeepassXC Freedesktop.org Secret Service Integration
* Add a password group to be exposed to "exposed database groups."
* Unchecked: *confirm when passwords are retrieved by clients*

If you're not able to enable it, it very well may be that another integration is
running.

Now that it's enabled, I believe whenever you enter passwords, it'll actually
get saved to this group you created/use for the exposed database group. For
example, my Gajim/XMPP passwords got saved there. I think you'll see KeepassXC
pop up with some kinda confirm sometimes regarding this.

# Other notes

Make sure KeepassXC is unlocked if you want this system to work!

If you ever notice this system isn't working, check to make sure
`gnome-keyring-daemon` isn't running.

## Footnotes

[1]: KeepassXC: https://keepassxc.org/
[2]: Window Maker: https://windowmaker.org

You are viewing proxied material from gopher.someodd.zip. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.