Automatically unlock KeePass database with GNOME Keyring

_.md

(Tested with KeePassXC on Fedora 25)

By default when using GNOME Keyring you have a keyring that is unlocked when you log in (usually called "Login"). You can make use of that by storing a KeePass database password in this keyring and using it to automatically unlock your KeePass database.

Store the KeePass database password in GNOME Keyring. You'll have to set a label and at least one attribute/value pair. The label is displayed in a GNOME keyring manager (e.g. Seahorse), the attribute/value pair should be a unique identifier because it's needed for the lookup. I suggest to use keepass as attribute and the database name as value (make sure it doesn't contain any spaces).

secret-tool store --label="KeePass <database_name>" keepass <database_name>

Then create a script to launch and immediately unlock your KeePass database.

#!/bin/bash

secret-tool lookup keepass <database_name> | keepassxc --pw-stdin /path/to/<database_name>

You can now use this script to launch KeePass with your database already unlocked. I recommend to create a desktop launcher for more convenience.

Thanks. This also works together with keepass2. It accepts the same parameter --pw-stdin. database_name is the filename including the file extension. This wasn't clear to me at first

Be aware, that there was a bug in Keepassxc 2.2.1 that made problems using --pw-stdin, you need to update to current versions. See: keepassxreboot/keepassxc#590

And for Ubuntu you might need to use explicit bash shell in startup:
bash -c "secret-tool lookup keepassxc <database-name> | keepassxc --pw-stdin /path/to/database.kdbx"

Hey guys, thank you very much for these tips, this looks very useful, I tried it and it works like a charm!
I would like to confirm I understand well what this means in terms of security though. From my understanding, assuming you have only a passphrase set for your password database...

1/ Before this trick
A malicious program with user privilege could not access your passwords unless it has the master key of your database, and it had no other way to find it without brute force or key logging

2/ After this trick
A malicious program with user privilege can find the value of the database password by reading your startup script and by running the command secret-tool lookup keepass <database_name> and then read all your passwords.

I'm not very familiar with the Gnome keyring system so maybe I'm missing something. I know it's pretty unlikely but I'd like to see the worst case scenario...

I'd like to know the answer to androidseb's question too. I think they are correct. I at first thought that I'd be able to just use keepassxc-cli to do exactly the same thing as secret-tool but I can't find a way to list passwords from the command line using keepassxc-cli without entering the database password at the same time; so perhaps keepassxc IS more secure than seahorse (gnome keyring).
That said any implementation to automatically unlock keepassxc will have the same issue I believe. I'll mention that I really like Keepass2Android's quick unlock function where it "half-locks" the database and then only asks you for just the last 4 characters of the master password to unlock it. Very handy on a touch screen device but perhaps less so on a device with a keyboard.

@androidseb Before login, the keyring is locked. Thus you need brute force or smart method to crack it.
However, after login, the keyring is unlocked if you use the same password as login password.
So you DO need to worry about malicious programs after keyring is unlocked.

This works for me on Ubuntu Linux in that it starts KeePassXC and unlocks the database. But there's still a prompt to enter a password in the terminal window, and the script doesn't proceed. Any thoughts?

@Organic-Marble Sorry for the late message, I found that switching the order of the argument works:
keepassxc /path/to/<database_name> --pw-stdin
So the command should read:
secret-tool lookup keepass <database_name> | keepassxc /path/to/<database_name> --pw-stdin

I've done a little extra thing and gone ahead and done this: https://github.com/erenfro/keepassxc-unlocker

1/ Before this trick A malicious program with user privilege could not access your passwords unless it has the master key of your database, and it had no other way to find it without brute force or key logging

2/ After this trick A malicious program with user privilege can find the value of the database password by reading your startup script and by running the command secret-tool lookup keepass <database_name> and then read all your passwords.

(I am using KWALLET instead of Gnome, but i would hope the security is comparable)
To my understanding as long as the keyring is locked, no change to the security (Ok, maybe technically the keyring can be attacked with the file instead of trying to brute force the database directly but ignoring any vulnerabilities in the keyring file storage (which can also happen to keepass, if we even think about this) it's fine).
If the keyring is unlocked, then yes, any program with terminal access can read those entries. But also any program with terminal access could use a keylogger, screen capture, clipboard interceptor etc. So i would hesitate to say that having your password in your keyring is inherently less secure. If you have any unsandboxed apps on your pc, at least for the time being (with X and other apps with no "security by design") you shouldn't input anything you don't want to get captured (so i wouln't worry about this in particular; use Qubes or some other highly private OS to get security which can't be as easily foiled as normal OSs).

If anyone knows better, i'd be happy to hear your opinions on this matter.