Secret Service

GitHub release GitHub license GitHub stars GitHub issues GitHub issues

Implementation of Secret Service API


What does this project do?

By using secret service, you don’t need to use KeePassXC secretservice for storing and retrieving you applications credentials anymore, or login every time to Skype, vscode sync, Remmina


  • Archlinux: There is an AUR package named secret-service.
  • Debian: TODO deb package
  • RedHat: TODO rpm package

Manual Installation

There is a scripts/ shellscript that do the job of install/uninstall (run it by ./scripts/ but here are the details:

You need to copy the binary (secretserviced, build the project or download it from releases page) some where usually /usr/bin but if you don’t have the permission, ~/.local/bin is OK too. To build the binary from source code:

git clone
cd secret-service
go build -race -o secretserviced cmd/app/secretserviced/main.go

You need a systemd UNIT file named secretserviced.service to put in /etc/systemd/user but if you don’t have the permission ~/.config/systemd/user is OK too. Here is a sample UNIT file, change WorkingDirectory and ExecStart according to where you put the binary:

Description=Service to keep secrets of applications



CAUTION: MASTERPASSWORD is very important, don’t loose it. scripts/ would generate a random 32 character password automatically. If you don’t use the scripts/ shellscript, it is up to you to set the password and it should be EXACTLY 32 characters length.

Now start the service:

systemctl enable --now --user secretserviced.service

and you can stop the service by:

systemctl disable --now --user secretserviced.service

to see the status of service:

systemctl status --user secretserviced.service

All secret-service stuff (database, logs…) are stored under: ~/.secret-service.

By default all secrets are encrypted with AES-CBC-256 symmetric algorithm with MASTERPASSWORD. If you wish to switch between encrypted/unencrypted database you need to follow these steps:

  1. Stop service: systemctl stop --user secretserviced.service
  2. Change config encryption key (located at: ~/.secret-service/secretserviced/config.yaml)
  3. If you are changing to encryption: true make sure MASTERPASSWORD is set.
  4. Delete database (located at: ~/.secret-service/secretserviced/db.json)
  5. Start service: systemctl start --user secretserviced.service

If service refuses to start and you see OS exit code 5 in logs, it means som other application has taken dbus name org.freedesktop.secrets before (such as keyrings), stop that application and try again.


This project is in its infancy and as it is my first golang project there are many design and code problems. I do appreciate suggestions and PRs. If you can get done any item from TODO list, you are welcome. This list will be updated based on new insights and user issues.

In case of sending a PR please make sure:

  1. You are addressing just one issue per PR.
  2. Completely describe the problem and your solution in plain English.
  3. Don’t send your PRs to main branch, create a new branch based on your changes and make sure all tests are passed.
  4. If any new test is needed based on your PR, please write the test as well.


[ ] Improve CI

[ ] What’s the best way to secure /etc/systemd/user/secretserviced.service file

[ ] deb, rpm, AppImage packages

[ ] …