Question, is it possible to save the keyring data somewhere else? e.g. in a shared drive?

[bravegag]

I have this question and couldn't find the answer in the main page or elsewhere. I can see we can query the default location for storing the credentials but didn't find a way to set that location:

python -c "import keyring.util.platform_; print(keyring.util.platform_.config_root())"

I'm after a way to store this elsewhere and change the default location.

[jaraco]

Generally speaking, keyring avoids storing data on disk. The config_root is for storing configuration, such as which keyring backend to prefer. The credentials are stored by the backends, which is backend dependent, using platform security measures to securely store credentials (usually based on your login password or a master password). On Linux, it's a little more complicated, but still uses the best available mechanism to store (Kwallet, SecretService, etc).

What is it you're trying to achieve?

[bravegag]

@jaraco thanks a lot for the quick feedback. I am in a corporate setup and we run Python CLI applications across different Workstations and we wanted to have a shared vault in e.g. a shared drive. I know, it is not super sophisticated but this is what we have to work with :)

Ah we're on Windows 10 64b Pro.

[jaraco]

Sorry for the delay. You got lucky in my first response, but not so much in my second ;)

To my knowledge, the Windows Credential Vault, which backs keyring in the Windows environment, doesn't have support for a vault outside of the user's administration.

One option might be to store the credential on some trusted Windows account, and then back up that vault from the Credential Manager to the shared drive, and then require each user to restore credentials from that backup.

Another option, which is harder to implement, would be to find an alternate backend, something like the EncryptedKeyring from keyrings.alt, which requires manual management of the encryption key, or possibly use the plain text keyring, but using Windows file system encryption to secure the contents.

The real question you have to ask yourself is how do you intend to protect the credentials - what is it that allows the user to access the shared vault but retain confidentiality from anyone else? The Credential Vault achieves this by only unlocking the vault for that user when that user's password is entered.

You may want to reflect on your security methodology. In general, it's not good to be sharing credentials at all. Is there a different approach that might allow each user to have their own credential (perhaps to request a shared credential)?