Skip to main content

Ralsina.Me — Roberto Alsina's website

python-keyring is seriously nice

Many pro­grams re­quire pass­words from the us­er.

It's nice when a pro­gram can re­mem­ber the pass­word you give it.

It's nicer when it stores said pass­word safe­ly. How­ev­er, it's not triv­ial to do that if you care for cross-­plat­form sup­port.

Or at least it was­n't un­til Kang Zhang wrote python keyring, a mod­ule that ab­stracts the pass­word stor­age mech­a­nisms for KDE, GNOME, OSX and win­dows (and adds a cou­ple of file-based back­ends just in case).

So, how does it work?

In­stall it in the usu­al way. If it's not pack­aged for your dis­tro/­op­er­at­ing sys­tem, just use easy_in­stal­l:

easy_install keyring

You could al­so get it from mer­cu­ri­al:

hg clone

The API is sim­plic­i­ty it­self. This is how you save a se­cret:

import keyring

You may get this di­a­log (or some ana­log on oth­er plat­form­s):


And here's the proof that it was saved cor­rect­ly (this is KDE's pass­word man­ager):


And how do you get the se­cret back?

import keyring
print keyring.get_password('keyring_demo','username')

This is how it run­s:

$ python

As you can see, the API is as easy as it could pos­si­ble get. It even chose the KWal­let back­end au­to­mat­i­cal­ly be­cause I am in KDE!

Python-keyring is a mod­ule that fix­es a big prob­lem, so a big thank you to Kang Zhang and Tarek Zi­adé (who had the idea)

chaica / 2009-12-21 19:48:

Python-keyring is available on Debian, should be available in Ubuntu in ... some months I guess.

Roberto Alsina / 2009-12-21 22:32:

It's also available in Arch.

elpargo / 2009-12-22 05:16:

Thanks for the link

Thomas / 2009-12-24 08:16:

Using python is a bit of a silly idea; I can see a virus searching for your python app in your homedir and modify it to email all passwords it can harvest from the kwallet (since the user gave it an 'ok its safe!').

This may even be the case if the python stuff is installed as root, simply because its easy to place new python code in your homedir and make it be executed instead of the packages-installed app.
And the same problem happens; the user gives an ok because the user is unable to detect the difference.

I seriously think using any scripting language is just wrong for this kind of work.

Roberto Alsina / 2009-12-24 11:48:

The "app X is asking for permission to open wallet" is trivial to overcome, since the app name is simply a parameter in QApplication construction.

If you are depending on that for your security, you are screwed.

It *may* be non-trivial if kwallet (or gnome-keyring) checked whih process is asking, looked for the binary location via /proc and refused to work if it's not a system binary, but even that kinda sucks in other ways.

Cam / 2010-01-03 21:59:

Perhaps if the wallet stored an MD5 for the approved application this scenario could be handled. I think the majority of python apps would be installed through package management which means the virus would need root privileges to modify them anyway.

Oben Sonne / 2010-02-13 00:13:

Yes, MD5 sums would increase security from a technical point of view. The application name alone is quite insufficient. For instance in Gnome you could write a malicious app which calls gobject.set_application_name("trusted_app") and then inherits the rights of "trusted_app" (correct me if I'm wrong).

Anyway, in daily use MD5 sums would fail too. Consider some packaged application which gets updated regularly. Each time the question "Application X is requesting access to ..." would reappear and users would tend to blindly acknowledge, also because they mostly cannot decide if the MD5 change has been caused by a regular package update or by hijacking the application name.