cli on Android: no external key store available

[a-xin]

Hi, I'm not able to login to keybase via the cli on Android 9 using termux. Looks like others are having the same issue.

Is there a configuration I am missing?

Steps

• Open the termux app on Android 9
• Install keybase via pkg install keybase
• Run keybase service
• Open a second session and run keybase login
• Enter your user name and press enter

⇨ cli exits with ERROR Secret store not functional: error while storing secret: no external key store available

Versions

• Android 9
• keybase 3.2.2

[zapu]

Hey, thank you for reaching out to us.

Android secret store is not available in termux. One workaround would be to try to run Keybase service with KEYBASE_SECRET_STORE_FILE=1 environment variable set. This will force it to use file-based secret store. Be advised that it's only as secure as your Termux home dir is, where Keybase device secrets will be stored when this flag is used.

[a-xin]

Hi @zapu, thanks for your explanations! I gave that a try but didn't get any further.

• Added export KEYBASE_SECRET_STORE_FILE=1 to .bashrc
• Verified it gets loaded by running echo $KEYBASE_SECRET_STORE_FILE
• Ran keybase service
• and keybase login in a parallel tab ⇨ it exits with the same error as above

Actually, no matter if I do or don't set the env variable, keybase -debug -debug login errors with the message: secret_store_external:getGlobalExternalKeyStore called, but externalKeyStore is nil. Do I somehow also need to set (or create) a secret store file first?

Not sure if this helps, but checking logcat in a parallel tab showed this error: W keybase : type=1400 audit(0.0:42337): avc: denied { read } for name="/" dev="tmpfs" ino=15397 scontext=u:r:untrusted_app:s0:c249,c256,c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0

[zapu]

OK maybe this doesn't work the - I was told otherwise. I'm not a termux user but I will install it and try to figure it out. Thanks!

[zapu]

@a-xin I've been made aware that the change to enable KEYBASE_SECRET_STORE_FILE on all platforms might not have been released yet. Can one build Keybase client from go source in termux and launch that?

[a-xin]

@zapu Awesome - that solved it - thank you so much!

With keybase 3.3.0 (current master) I was able to login on Android 9.

My steps (for anyone else struggling with this):

• Follow this tutorial https://md.hecke.rs/s/SyWx8-hBX to build the current master in termux (just the first part, the second part seems to be outdated)
• Set KEYBASE_SECRET_STORE_FILE=1 before you run keybase service (e.g. by adding export KEYBASE_SECRET_STORE_FILE=1 to your .bashrc and opening a new session or sourcing it)
• Run keybase service in one session
• Run keybase login in a parallel sessions

[zapu]

Amazing, thank you for trying this out. The new release should be out soon so running on Termux should become easier.

[maxtaco]

It probably makes sense to update that tutorial, the kbfs package has moved inside of keybase/client

[philips]

I have packaged up the keybase 4.0.0 client for termux. However, anyone have a suggestion on how to make it so users don't need to set this environment variable? Can I fix this at build time w/o a patch? https://github.com/termux/termux-packages/pull/3791

[fornwall]

The updated keybase package at version 4.0.0-2 is now available for installation - update to it with pkg up!

Note that this version has been patched so that KEYBASE_SECRET_STORE_FILE defaults to true.

[heini]

I get this message from a fresh Keybase app install (from Playstore) on Android 9 after typing in my username. Any hints what I could do to get past this?

[alensiljak]

With keybase 4.7.2-1, I managed to log in and register the device without running keybase service. But thanks for the tip, because with the keybase service running, using Git repositories works!