Use gpg to encrypt secrets

[sunng87]

Instead of stored plain-text secrets in filesystems, a handy solution is to encrypt it with gpg.

[ylxdzsw]

Do you have a more concret plan? Linking to GPG seems to be hard and calling the commandline interface feels fragile. Further, if we use asymmetric encryption, the user needs to choose a keyfile to use and it may be protected by a passphrase. If we use the symmetric encryption, we need to find a way to ask for the key. The only sane method I can think of (and used by gnome-keyring) is to use a pam module to get user's login password and derives the AES key from it, which I feels too complex.

[sunng87]

gpg seems to be the only reliable and viable asymmetric encryption solution on desktop. However, because gpg pinentry uses libsecret to remember its password, it might has cyclic dependency between gpg and dssd.

I checked some other implementations of libsecret, one solution is to use a pre-configured master password for symmetric encryption.

Let's keep this open until we come up with a good solution.

[ivoshm]

I think it would be a great idea to integrate PASS (https://www.passwordstore.org/) - it solves all the GPG "magic" and integration would be quite simple.

[TheAifam5]

Hey, I think @sunng87 and @ivoshm might find that interesting:

https://github.com/mdellweg/pass_secret_service

I choose dssd, because is simple and I wanted to have a Secret Service daemon just only for apps that require it (Discord or 1Password for example).