Chromium and Seahorse/KWallet permanent integration under linux
Chromium (the Open Source base system for Chrome) features an out-of-the-box integration with either:
- Seahorse, aka Gnome's default keyring manager
- KWallet, aka KDE's builtin keyring manager
Both the listed software are password managers which can add more security to Chromium's default password manager. Chromium's way of things would be to save all the passwords in a file, somewhat obscured - but still readable by anybody with the right tools or experience.
Storing passwords in Seahorse or KWallet, instead, means having them crypted with a safe algorithm, and definitely secure once the user has logged off the computer or the computer is turned off.
Temporarily activate integration
Chromium's integration is disabled by default. To enable it temporally you have to feed the software the option "password-store". This option can assume three values:
- "detect", automatically detect the Display Manager's own keyring - suggested.
- "gnome", to use Gnome's keyring manager Seahorse.
- "kwallet", to use Kwallet, KDE's password manager.
To temporarily start Chromium with this integration fire up a terminal or the appliction launcher (Alt+F2) and type:
chromium-browser --password-store=detect
Chromium will then start with the passwords already stored in the system keyring and new ones saved there. But this effect is not permanent, and you should also check the last section, older passwords issues.
Permanent integration with the manager
There does exists, however, a more consistent and correct way to enable the permanent integration with the system keyring. Two ways, indeed, the first to enable the integration for a user only, the second requiring superuser privileges to enable it system-wide for all users.
For a single user
You can enable the integration with the current user passing an environment variable to Chromium, namely CHROMIUM_USER_FLAGS.
- Delete all your passwords from Chrome. (see why)
- Add the line
export CHROMIUM_USER_FLAGS="--password-store=detect"to your.profilefile: execute
in a terminal.echo 'export CHROMIUM_USER_FLAGS="--password-store=detect"' >> ~/.profile
- Log off and log in again for the profile file to take effect.
- Start Chromium and add a new password: it should appear in the keyring.
For all system users
This operation requires the editing of Chromium's default configuration with superuser privileges.
Edit with a text editor /etc/chromium-browser/default replacing the line
CHROMIUM_FLAGS=""
with the line
CHROMIUM_FLAGS="--password-store=detect"
Remember to delete all the passwords before switching; read below for the reason.
Older passwords issue
Please note that Chromium does not export your password to the new password database when you're changing it, nor deletes them (as of November 2010). This means that if you're not deleting all the passwords from the unsafe Chromium database before switching, you're not getting any safer at all.
You have to delete the passwords from Chromium first, then switch to another keyring manager and re-insert them. The new ones will be safe, unlike the older ones.
I have done a brief search for a Chrome/Chromium plugin to handle exporting and importing the passwords, with no results.