James Bond went on a new mission and this time as a Secret Service provider.
The library consists of two modules:
An implementation of the Secret Service specifications using zbus. Which sends the secrets to a DBus implementation of the org.freedesktop.Secrets interface that stores them somewhere safe.
A file backend using the org.freedesktop.portal.Secrets portal to retrieve the service's key to encrypt the file with.
The file format is compatible with libsecret.
Sandboxed applications should prefer using the file backend as it doesn't expose the application secrets to other sandboxed applications if they can talk to the org.freedesktop.Secrets service.
The library provides helper methods to store and retrieve secrets and uses either the DBus interface or the file backend based on whether the application is sandboxed or not.
```rust,ignore use std::collections::HashMap;
let keyring = oo7::Keyring::new().await?;
// Store a secret keyring.createitem( "Item Label", HashMap::from([("attribute", "attributevalue")]), b"secret", true, )?;
// Find a stored secret let items = keyring .searchitems(HashMap::from([("attribute", "attributevalue")])) .await?;
// Delete a stored secret keyring .delete(HashMap::from([("attribute", "attribute_value")])) .await?;
// Unlock the collection if the Secret Service is used keyring.unlock().await?;
// Lock the collection if the Secret Service is used keyring.lock().await?; ```
If your application makes heavy usage of the keyring like a password manager. You could store an instance of the Keyring in a OnceCell
```rust,ignore use once_cell::sync::OnceCell;
static KEYRING: OnceCell
fn main() { // SOMERUNTIME could be a tokio/async-std/glib runtime SOMERUNTIME.block_on(async { let keyring = Keyring::new() .await .expect("Failed to start Secret Service"); KEYRING.set(keyring); });
// Then to use it
SOME_RUNTIME.spawn(async {
let items = KEYRING
.get()
.unwrap()
.search_items(HashMap::from([("attribute", "attribute_value")]))
.await?;
});
} ```
The library also comes with API to migrate your secrets from the host Secret Service to the sandboxed file backend. Note that the items are removed from the host keyring if they are migrated successfully.
rust,ignore
// SOME_RUNTIME could be a tokio/async-std/glib runtime
SOME_RUNTIME.block_on(async {
match oo7::migrate(vec![HashMap::from([("attribute", "attribute_value")])], true).await {
Ok(_) => {
// Store somewhere the migration happened, to avoid re-doing it at every startup
}
Err(err) => log::error!("Failed to migrate secrets {err}"),
}
});
| Feature | Description | Default |
| --- | ----------- | ------ |
| tracing | Record various debug information using the tracing library | No |
| async-std | Use async-std APIs for IO/filesystem operations | Yes |
| tokio | Use tokio APIs for IO/Filesystem operations | No |
| unstable | Unlock internal APIs | No |
libsecret-rs provides Rust bindings of the C library libsecret. The current main pain point with it is that it does assume things for you so it will either use the host or the sandbox file-based keyring which makes migrating your secrets to inside the sandbox a probably impossible task. There are also issues like https://gitlab.gnome.org/GNOME/libsecret/-/issues/58 that makes it not usable inside the Flatpak sandbox.
secret-service-rs uses zbus internally as well but does provide a sync only API, hasn't seen an update in a while, doesn't integrate with Secret portal if sandboxed.
The project is released under the MIT license.