Enable database quick unlock (Touch ID / Windows Hello) --- feature failure

patch-work commented 2 weeks ago

Overview

Although the feature "Enable database quick unlock (Touch ID / Windows Hello)" is force enabled on Fedora Linux, the database must be unlocked by hand each time you log in.

Steps to Reproduce

Log in;
observe that keepassxc is not unlocked.

Expected Behavior

I expect the feature "Enable database quick unlock (Touch ID / Windows Hello)" to work.

Actual Behavior

Keepassxc does not quick unlock.

Context

KeePassXC - Version 2.7.9
Revision: 8f6dd13

Qt 5.15.15
Debugging mode is disabled.

Operating system: Fedora Linux 41 (Workstation Edition)
CPU architecture: x86_64
Kernel: linux 6.11.5-300.fc41.x86_64

Enabled extensions:
- Auto-Type
- Browser Integration
- Passkeys
- SSH Agent
- KeeShare
- YubiKey
- Secret Service Integration

Cryptographic libraries:
- Botan 2.19.5

> dnf info keepassxc
[...]
Name            : keepassxc
Epoch           : 0
Version         : 2.7.9
Release         : 5.fc41
Architecture    : x86_64
Installed size  : 28.8 MiB
Source          : keepassxc-2.7.9-5.fc41.src.rpm
From repository : <unknown>
Summary         : Cross-platform password manager
URL             : https://keepassxc.org/
License         : BSL-1.0 AND LicenseRef-Callaway-BSD AND CC0-1.0 AND GPL-3.0-only AND LicenseRef-Callaway-LGPLv2 AND LicenseRef-Callaway-LGPLv2+ AND LGPL-3.0-or-later AND LicenseRef-Callaway-Public-Domain
Description     : KeePassXC is a community fork of KeePassX
: KeePassXC is an application for people with extremely high demands on secure
: personal data management.
: KeePassXC saves many different information e.g. user names, passwords, urls,
: attachemts and comments in one single database. For a better management
: user-defined titles and icons can be specified for each single entry.
: Furthermore the entries are sorted in groups, which are customizable as well.
: The integrated search function allows to search in a single group or the
: complete database.
: KeePassXC offers a little utility for secure password generation. The password
: generator is very customizable, fast and easy to use. Especially someone who
: generates passwords frequently will appreciate this feature.
: The complete database is always encrypted either with AES (alias Rijndael) or
: Twofish encryption algorithm using a 256 bit key. Therefore the saved
: information can be considered as quite safe.
Vendor          : Fedora Project

patch-work commented 2 weeks ago

The following may be relevant.

KeepassXC's "Secret Service" says

"warning: Another secret service is running (PID: 3129, Executable: /usr/bin/kwalletd6). Please stop/remove it before re-enabling the Secret Service Integration."

The current source code of keepassxc uses kwalletd5, so this needs to be updated:

https://github.com/search?q=repo%3Akeepassxreboot%2Fkeepassxc%20kwalletd&type=code

According to KDE's "system settings" the "automatic wallet selection" is set to kdewallet. In the same section, it is possible to disable "secret service":

The Secret Service interface lets applications store passwords and other confidential data. Disable this to allow third-party wallet services such as KeepassXC or GNOME Keyring to manage it instead.

The actual configuration uses gnome-keyring-daemon:

> cat /usr/share/dbus-1/services/org.freedesktop.secrets.service
[D-BUS Service]
Name=org.freedesktop.secrets
Exec=/usr/bin/gnome-keyring-daemon --start --foreground --components=secrets

It is a mess.

When keepassxc is installed, the installer ought to prompt for permission to take over and align the above settings.

I disabled "secret service" in KDE's "system settings", rebooted the system, and enabled KeepassXC's own secret service. The quick unlock feature still fails.

droidmonkey commented 2 weeks ago

Linux quick unlock is not coming until version 2.8.0

See here for implementation: https://github.com/keepassxreboot/keepassxc/pull/8983

michaelk83 commented 2 weeks ago

The following may be relevant.

KeepassXC's "Secret Service" says

"warning: Another secret service is running (PID: 3129, Executable: /usr/bin/kwalletd6). Please stop/remove it before re-enabling the Secret Service Integration."

Secret Service is entirely unrelated to QuickUnlock. Just need to disable Secret Service in KWallet if you want to use KeePassXC as your Secret Service provider.

The current source code of keepassxc uses kwalletd5, so this needs to be updated:

https://github.com/search?q=repo%3Akeepassxreboot%2Fkeepassxc%20kwalletd&type=code

AFAICT, utils/keepassxc-kdewallet is an external utility, which is not part of the main app. It just reads the KeePassXC database password from KWallet (if stored there), in order to automatically unlock KeePassXC.

The actual configuration uses gnome-keyring-daemon:

> cat /usr/share/dbus-1/services/org.freedesktop.secrets.service
[D-BUS Service]
Name=org.freedesktop.secrets
Exec=/usr/bin/gnome-keyring-daemon --start --foreground --components=secrets

This is forced by Gnome Keyring, if you have it installed. You will need to remove it if you want KeePassXC (and not Gnome Keyring) to auto-start when the Secret Service is called by a client app. See #6274. Or you can manually make sure that Gnome Keyring daemon is not running, launch KeePassXC, and leave it open for apps to access. (You can still lock the database, just leave the app running. You will be prompted to unlock when needed.)

patch-work commented 1 week ago

The current source code of keepassxc uses kwalletd5, so this needs to be updated: https://github.com/search?q=repo%3Akeepassxreboot%2Fkeepassxc%20kwalletd&type=code

AFAICT, utils/keepassxc-kdewallet is an external utility, which is not part of the main app. It just reads the KeePassXC database password from KWallet (if stored there), in order to automatically unlock KeePassXC.

The code uses (expects) kwalletd5, which no loger exists. It needs to be updated to kwalletd6.

The actual configuration uses gnome-keyring-daemon:
> cat /usr/share/dbus-1/services/org.freedesktop.secrets.service
[D-BUS Service]
Name=org.freedesktop.secrets
Exec=/usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
This is forced by Gnome Keyring, if you have it installed. You will need to remove it if you want KeePassXC (and not Gnome Keyring) to auto-start when the Secret Service is called by a client app. See #6274. Or you can manually make sure that Gnome Keyring daemon is not running, launch KeePassXC, and leave it open for apps to access. (You can still lock the database, just leave the app running. You will be prompted to unlock when needed.)

I am using KDE, so this gnome subsystem is not expected to run. Again, the package manager ought to align these nested configurations, as users are not expected and generally ought not to change anything inside /usr. Different distributions, different packages, but the issue ought to be given to the package managers.

I did manage to run the Secret Service, but the link with the browser is still problematic. When you login, for some reason the browser is started automatically before the keypass. For the browser to see the keepass, you must shut down the browser, open and unlock keepass, then open the browser again. It you open the browser before the keepass, the link fails.

If the screen locks, when you log back in, you will find that the link is broken and connecting to the db from the browser fails. You then have to kill and restart the browser.

patch-work commented 1 week ago

I have seen viruses harvesting passwords from browsers as well as through keyloggers, so keepassxc is a killer application to manage passwords as demanded by GDPR law. The quick unlock and the connection with the browser are the two UX KPIs that make or brake the adoption of keepassxc. If money is needed for a dedicated effort, the project may raise funds through donations, or apply for funds at one of the EU projects.

keepassxreboot / keepassxc