GNOME Bugzilla – Bug 375681
Should lock keyrings when suspending
Last modified: 2007-07-23 22:55:10 UTC
When I suspend my laptop it would be great if g-p-m told gnome-keyring to lock any unlocked keyrings. This would be a good security feature, so that if someone stole my laptop whilst it was suspended, they can't access my passwords. gnome_keyring_lock_all() or gnome_keyring_lock_all_sync() are probably what you want.
Yes, this is a nice feature. I'll see what I can do. Thanks.
If is okay to have a hard dep on gnome-keyring-1 or do I have to add silly ifdef's?
Added to CVS HEAD; * configure.in: * help/C/gnome-power-manager.xml: * src/gpm-manager.c: Add gnome-keyring functionality to lock keyrings when sleeping. This fixes #375681.
Actually, it would maybe make sense to _clear_ the keyring instead of locking it, so that no credentials are stored in RAM anymore when we suspend/hibernate. Else, I would expect it possible to somebody stealing the laptop to retrieve credentials by directly harvesting the raw disk data (in the partitions used to store what was in RAM when hibernating). But gnome keyring may not be the only app needing such a cleanup : ssh-agent, thunderbird, firefox, Evolution (when not using gnome keyring), and probably others may want to be able to do this (think VPN application, encrypted filesystem...). Maybe having a generic hook mechanism would be nice (e.g. g-p-m could run all scripts present in /etc/g-pm/keycleanup and ~/.gnome/g-p-m/keycleanup/, or something similar) when doing a suspend or hibernate.
BTW, Thomas, 'locking the keyring' is gnome-keyring parlance for clearing it. But I agree that some generic method is needed for applications to drop sensitive data from RAM before a hibernate occurs.