Re: Do you use multiple gnome-keyring keyrings?

[Jon Nettleton <jon nettleton gmail com>]

On Sat, 2007-04-14 at 16:56 +0000, Nate Nielsen wrote:
> Kirioss wrote:
>  > I'm not sure I understand what will be possible with this new
> function. Will
> > it be possible to unlock automatically the keyring when the user logon (to
> > avoid multiple passwords) and let NetworkManager (wireless and VPN) take the
> > certificate in the keyring without the need, for the user, to know any pin
> > code to unlock the private key ?
> 
> Yes, among other things, that's the eventual goal.
> 

I have been digesting this thread for a while and thinking about the
half written code I have from last fall.  I still think that the proper
way for us to unlock passwords on login is by using the following
workflow.

1)  Keyrings have a property called on_login
2)  There is a system generated keyring for each user called Login
3)  If you set the property on_login on the keyring it's name and
password are stored in the Login keyring.
4)  Then I can write pam_keyring to always use the Login keyring, unlock
that with the system password and systematically go through and unlock
every keyring it has a secret for.

This makes it easy to have multiple keyrings.  I have keyrings for
personal, work, and system secrets.  This allows me to replicate
different keyrings to different machines, without putting all my secrets
on that machine.  I have thought about per application keyrings, but
that seems a little over-kill.

The above approach also gives you the ability to have different
passphrases for different certs, or services.  They are retrievable if
you forget them but remember your system passphrase.  It also gives you
only one passphrase (the one to unlock the Login keyring) to keep in
sync with your system passphrase.  So if something happens and they get
out of sync you don't have to update 20 different passwords to get
things back sync'd up and unlocking on login properly.

Comments?

Jon