Gnome Keyring's 'Secure' Memory

Gnome Keyring stores secrets and passwords in memory that is locked in physical RAM to prevent it from paging out to the swap file on the disk.

Both gnome-keyring-daemon and libgnome-keyring make use of this memory. All network buffers and in memory blocks that contain secrets, passwords or encryption keys are non-pageable (see below for caveats).

You can also use this non-pageable memory through the: Secure Memory API

Requirements

• The OS has the mmap(), mlock() and related functions.

  • For now, the mlockall() function is also required for use by the password prompting tool (ie: gnome-keyring-ask)

• mlock() is callable by a normal user.

  • A modest amount (say, 256k at least) of lockable memory is required. See ulimit -l or the RLIMIT_MEMLOCK resource limit.

Behavior

• By default if 'secure' locked memory cannot be allocated, then normal memory will be used.

  • If the GNOME_KEYRING_PARANOID environment variable is set, then the process will abort instead, when secure memory cannot be allocated for one reason or another.

• Memory pages are memory mapped (with MAP_PRIVATE | MAP_ANONYMOUS) from the OS, and then suballocated to satisfy needs.

• Memory pages are given back to the OS as soon as they have no more allocations on them.
• All memory is returned in a zeroed state.

API

The API in gnome-keyring-memory.h is exposed so that applications which use gnome-keyring can take advantage of it to hold passwords or secrets securely in memory.