Is it possible to use secret-tool to lookup existing seahorse passwords?

I found this post about getting passwords from the gnome keyring from commandline (How do I get passwords from the keyring in the terminal for usage in scripts?), and I found that secret-tool is the way to go. It's great that I can store passwords with secret-tool, but I can't seem to figure out how to lookup existing passwords that were stored using seahorse, which is what I'm really hoping to do. I don't know what attribute(s) and value(s) I would need to use to query them, and the man page is fairly vague on what these could possibly be.


I made a utility, lssecret, that lists all items using libsecret, including all GNOME Keyring items. It looks like libsecret automatically adds a key value pair for every item, but Seahorse doesn't show them in the GUI. Here's some example output from lssecret:

Collection: Login

Item:   Test Password
Secret: Tr0ub4dor&3
Key:    xdg:schema
Value:  org.gnome.keyring.Note

Item:   secret-tool item
Secret: s3cret-t00l
Key:    my key
Value:  my value
Key:    xdg:schema
Value:  org.freedesktop.Secret.Generic

Item:   Unlock password for: [email protected]
Secret: correct horse battery staple
Key:    unique
Value:  ssh-store:/home/cueball/.ssh/id_rsa
Key:    xdg:schema
Value:  org.freedesktop.Secret.Generic

Item:   Network secret for GenericSSID/802-1x/password
Secret: S3cureW1f1Passw0rd
Key:    setting-name
Value:  802-1x
Key:    connection-uuid
Value:  6a762552-04b3-cd05-45ba-586688e0a029 
Key:    xdg:schema
Value:  org.freedesktop.NetworkManager.Connection
Key:    setting-key
Value:  password

GNOME Keyring stores each keyring as a collection in the secret service. You can see the default keyring, Login, in the output. The items represent:

  1. A password added to the keyring using seahorse. The description is "Test Password" and the actual password is "Tr0ub4dor&3".
  2. An item added using the command secret-tool store --label="secret-tool item" "my key" "my value", then typing "s3cret-t00l" into the prompt.
  3. A password for an ssh key so it can be automatically unlocked by gnome keyring. It was added using ssh-add from the command line, then checking the "Automatically unlock this key at login" box when it was first used.
  4. A wifi network password added by selecting "Store the password only for this user" in the NetworkManager connection editor.

As you can see, passwords added to a keyring using Seahorse have a key value pair of "xdg:schema" and "org.gnome.keyring.Note". You can list them all using secret-tool search --all xdg:schema org.gnome.keyring.Note.


Okay after investigating a little further, it looks like seahorse doesn't assign any attributes to Stored Passwords (I'm pretty sure secret-tool can't find a password without any attributes to lookup). The reason I believe this is the case is that, after creating one in seahorse, I look at the properties->details and there are no details (ie attributes). I've found others in seahorse, though, that have details, and I'm able to look them up in secret-tool using those attributes.

The solution, it seems, is to create the password using secret-tool, assigning the appropriate attributes for a unique lookup later. Since they both use gnome-keyring in the background, the new password appears in seahorse the moment you create it in secret-tool.

Gnome-keyring seems more than happy to create more than one password with the exact same label (just not the exact same attributes, it will replace it if they are exactly the same), so once you've recreated it, you can just delete the old useless one from seahorse.

$ secret-tool store --label=DomainPassword user sjohnson domain some.domain
Password: thisismypa$$w0rd
$ secret-tool lookup user sjohnson domain some.domain
thisismypa$$w0rd

The reason I initially didn't want to store a password using secret-tool was that I didn't know how to get it to be a Login password (available upon login) through secret-tool. It looks like, as long as "Login" is your default keystore, secret-tool will store it there.