tessl/pypi-secretstorage
Python bindings to FreeDesktop.org Secret Service API for secure password and credential storage
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-secretstorage@3.3.0index.mddocs/
SecretStorage
Python bindings to the FreeDesktop.org Secret Service API for secure storage and retrieval of passwords and other secrets on Linux systems. SecretStorage integrates with GNOME Keyring, KWallet (version 5.97+), and KeePassXC through D-Bus communication, providing a standardized interface for credential management across Linux desktop environments.
Package Information
- Package Name: secretstorage
- Language: Python
- Installation:
pip install secretstorage - Requires Python: 3.6+
- Dependencies:
cryptography>=2.0,jeepney>=0.6 - Version: 3.3.3
Version Constants
__version__ = '3.3.3' # Version string
__version_tuple__ = (3, 3, 3) # Version tuple (major, minor, patch)Core Imports
import secretstorageCommon imports for specific functionality:
from secretstorage import Collection, Item, dbus_init
from secretstorage import get_default_collection, create_collection
from secretstorage import LockedException, ItemNotFoundExceptionBasic Usage
import secretstorage
# Initialize D-Bus connection
connection = secretstorage.dbus_init()
# Get the default collection (keyring)
collection = secretstorage.get_default_collection(connection)
# Store a password
item = collection.create_item(
'My Application Password', # label
{'application': 'myapp', 'username': 'john'}, # attributes
b'my_secret_password' # secret data
)
# Retrieve the password later
items = list(collection.search_items({'application': 'myapp', 'username': 'john'}))
if items:
secret = items[0].get_secret()
print(f"Retrieved password: {secret.decode()}")
# Clean up
connection.close()Architecture
SecretStorage follows the FreeDesktop.org Secret Service specification with these key components:
- D-Bus Connection: Communication channel to the Secret Service daemon
- Collections: Secure containers (keyrings) that store multiple secret items
- Items: Individual secrets with labels, attributes, and encrypted data
- Sessions: Cryptographic sessions for secure data transfer using Diffie-Hellman key exchange
- Prompts: User authentication dialogs for accessing locked collections
The library automatically handles encryption/decryption, session management, and D-Bus protocol details, providing a high-level Python interface for secure credential storage.
Capabilities
Connection Management
Establishes and manages D-Bus connections to the Secret Service, with service availability checking and proper connection lifecycle management.
def dbus_init() -> DBusConnection:
"""Returns a new connection to the session bus."""
def check_service_availability(connection: DBusConnection) -> bool:
"""Returns True if Secret Service daemon is available."""Collection Operations
Manages collections (keyrings) including creation, retrieval, locking/unlocking, and deletion. Collections serve as secure containers for organizing related secret items.
def get_default_collection(connection: DBusConnection, session: Optional[Session] = None) -> Collection:
"""Returns the default collection, creating if necessary."""
def create_collection(connection: DBusConnection, label: str, alias: str = '', session: Optional[Session] = None) -> Collection:
"""Creates a new collection with given label and alias."""
def get_all_collections(connection: DBusConnection) -> Iterator[Collection]:
"""Returns generator of all available collections."""
class Collection:
def create_item(self, label: str, attributes: Dict[str, str], secret: bytes, replace: bool = False, content_type: str = 'text/plain') -> Item: ...
def search_items(self, attributes: Dict[str, str]) -> Iterator[Item]: ...
def is_locked(self) -> bool: ...
def unlock(self) -> bool: ...Item Management
Handles individual secret items with comprehensive operations for storing, retrieving, and managing secret data, attributes, and metadata.
class Item:
def get_secret(self) -> bytes:
"""Returns item secret data."""
def set_secret(self, secret: bytes, content_type: str = 'text/plain') -> None:
"""Sets item secret data."""
def get_attributes(self) -> Dict[str, str]:
"""Returns item attributes dictionary."""
def set_attributes(self, attributes: Dict[str, str]) -> None:
"""Sets item attributes."""
def get_label(self) -> str:
"""Returns item label."""
def delete(self) -> None:
"""Deletes the item."""Search Operations
Provides powerful search capabilities for finding secret items across collections using attribute-based queries with support for global and collection-specific searches.
def search_items(connection: DBusConnection, attributes: Dict[str, str]) -> Iterator[Item]:
"""Searches items across all collections."""Exception Handling
Comprehensive exception hierarchy for handling various error conditions including service unavailability, locked collections, missing items, and dismissed authentication prompts.
class SecretStorageException(Exception):
"""Base exception class for all SecretStorage errors."""
class SecretServiceNotAvailableException(SecretStorageException):
"""Secret Service API is not available."""
class LockedException(SecretStorageException):
"""Collection or item is locked."""
class ItemNotFoundException(SecretStorageException):
"""Item does not exist or has been deleted."""
class PromptDismissedException(ItemNotFoundException):
"""Authentication prompt was dismissed by user."""Session Management
Handles cryptographic sessions for secure data transfer between client and Secret Service daemon, including Diffie-Hellman key exchange and AES encryption.
class Session:
"""Cryptographic session for secure data transfer."""
object_path: Optional[str] # D-Bus object path
encrypted: bool # Whether session uses encryption
aes_key: Optional[bytes] # AES encryption key (when encrypted)Types
from typing import Dict, Iterator, Optional
# From jeepney.io.blocking (external dependency)
class DBusConnection:
"""D-Bus connection for communicating with system services."""
def close(self) -> None:
"""Close the D-Bus connection."""
# From secretstorage.dhcrypto
class Session:
"""Cryptographic session for secure data transfer."""
object_path: Optional[str]
encrypted: bool
aes_key: Optional[bytes]
my_private_key: int
my_public_key: int
def set_server_public_key(self, server_public_key: int) -> None:
"""Sets server's public key and derives shared AES key."""
# Secret Service Constants (from defines.py)
SS_PREFIX: str = 'org.freedesktop.Secret.'
SS_PATH: str = '/org/freedesktop/secrets'
ALGORITHM_PLAIN: str = 'plain'
ALGORITHM_DH: str = 'dh-ietf1024-sha256-aes128-cbc-pkcs7'