When you write script that need to perform remote authentication you don't want to include passwords plain text in the script itself. And if the credentials are personal credentials you cannot deliver them with the script anyway.
libsecret
Since 2008 the
Secret Service API is standardized via freedesktop.org and is implemented by GnomeKeyring and ksecretservice. Effectivly there is standard interface to access secrets on Linux desktops. Sadly the CLI tools are rarely installed by default so you have to add them manually. On Debian
apt install libsecret-tools
Using secret-tool
There are two important modes:
Fetching passwords
The "lookup" command prints the password to STDOUT
/usr/bin/secret-tool lookup <key> <name>
Storing passwords
Note that with "store" you do not pass the password, as a dialog is raised to add it.
/usr/bin/secret-tool store <key> <name>
Scripting with secret-tool
Here is a simple example Bash script to automatically ask, store and use a secret:
#!/bin/bash
ST=/usr/bin/secret-tool
LOGIN="my-login" # Unique id for your login
LABEL="My special login" # Human readable label
get_password() {
$ST lookup "$LOGIN" "$USER"
}
password=$( get_password )
if [ "$password" = "" ]; then
$ST store --label "$LABEL" "$LOGIN" "$USER"
password=$( get_password )
fi
if [ "$password" = "" ]; then
echo "ERROR: Failed to fetch password!"
else
echo "Credentials: user=$USER password=$password"
fi
Note that the secret will appear in the "Login" keyring. On GNOME you can check the secret with "seahorse".