(Tested with KeePassXC on Fedora 25)
By default when using GNOME Keyring you have a keyring that is unlocked when you log in (usually called "Login"). You can make use of that by storing a KeePass database password in this keyring and using it to automatically unlock your KeePass database.
Store the KeePass database password in GNOME Keyring. You'll have to set a label and at least one attribute/value pair. The label is displayed in a GNOME keyring manager (e.g. Seahorse), the attribute/value pair should be a unique identifier because it's needed for the lookup. I suggest to use keepass
as attribute and the database name as value (make sure it doesn't contain any spaces).
secret-tool store --label="KeePass <database_name>" keepass <database_name>
Then create a script to launch and immediately unlock your KeePass database.
#!/bin/bash
secret-tool lookup keepass <database_name> | keepassxc --pw-stdin /path/to/<database_name>
You can now use this script to launch KeePass with your database already unlocked. I recommend to create a desktop launcher for more convenience.
Hey guys, thank you very much for these tips, this looks very useful, I tried it and it works like a charm!
I would like to confirm I understand well what this means in terms of security though. From my understanding, assuming you have only a passphrase set for your password database...
1/ Before this trick
A malicious program with user privilege could not access your passwords unless it has the master key of your database, and it had no other way to find it without brute force or key logging
2/ After this trick
A malicious program with user privilege can find the value of the database password by reading your startup script and by running the command
secret-tool lookup keepass <database_name>
and then read all your passwords.I'm not very familiar with the Gnome keyring system so maybe I'm missing something. I know it's pretty unlikely but I'd like to see the worst case scenario...