When I opened some applications, I get asked to enter a password to create a default keyring. At some point I just clicked continue without entering a password, so it was created in plain text. My question:
Why does this happen and what is the recommended action, one gets the message “enter password to create default keyring”?
Technical Information
Thanks!
You don’t say which applications display that behaviour, I’ll assume they’re all based on Chrome/Chromium (e.g. Google Chrome, Chromium, applications built on Electron, etc.).
This is not specific to Qubes OS, though you’re more likely to notice it on Qubes OS because you get started with a freshly installed browser more often.
When you start using Chrom(ium) in any shape or form (e.g. in an app built on Electron like Slack), you get asked to initialize the password that will be used to store any passwords or credentials you choose to save in the app. They are stored in a so-called keyring. If you choose no password, the keyring isn’t encrypted.
If you don’t choose to store your passwords in that app, whether the keyring encrypted or not doesn’t make much of a difference. In all cases, it really only matters once that keyring is accessed by an unauthorized party… which obviously depends on your use case, but may well be a non-concern if you’re using the application for a single task in a disposable VM.
I hope that clarifies where the request may be coming from and to what extent it might matter. If you review which specific applications request such a password, it should be easy enough to test my initial hypothesis (that what you’re seeing is Chromium behaviour).
This isnt true.
What @boreas is seeing is the gnome keyring: a way of storing passwords
and keys in a single database, optionally secured with a password.
Chrome etc do use the feature, but it isnt exclusive - you will see it
with many VPN applications, Network Manager, or applications that use
ssh or gpg keys.
It’s basically an extended password manager in the qube.
You can manage the contents of the keyring with seahorse, including
changing the password, and altering contents.
You can remove it from the template using normal packaging tools (apt or
aptitude) - like much of Gnome, it isnt made easy, but it can be done.
Some applications wont work without it.
You can try to disable it - plenty of suggestions online which you could
apply in the template. But,(again common with Gnome), it will rise like
the living dead.
Thanks for the great replies! Now I am able to better estimate the importance the strength of the chosen password 