You are not logged in.
- Topics: Active | Unanswered
#1 2025-12-02 15:07:39
- Aipathon
- Member
- Registered: 2025-06-04
- Posts: 7
How to stop NetworkManager from storing passwords in plain text
So, my problem is the following. I am currently setting up a system for borrowing laptops to other students at my university. If those students want to use the University WIFI (eduroam) they have to login using a their university account and password. With these two credentials you can do basically everything for them and leaking these is quite dangerous. This is the reason, why I want to make 100% sure, that theres no possibility for any person to accidentally or intentionally ever gain access to the password, even if they have root access (the amount of people who will have root access, but I dont want to risk my head in case someone abuses it to steal login credentials).
So now my question is, is there any way I can stop NetworkManager from storing the passwords for connections in plaintext in the /etc/NetworkManager/system-connections/<Network>.nmconnection files. I found this blog post: https://bkhome.org/news/201909/encrypte … nager.html however, I could not get it to work. I suspect, that it has something to do with the gnome-keyring-daemon, which I could not get to run. When trying to start it with systemctl start gnome-keyring-daemon I get the following error: Failed to start gnome-keyring-daemon.service: Unit gnome-keyring-daemon.service not found.
So I looked up on the documentation on the daemon and tried to start it with gnome-keyring-daemon --start as described here: https://wiki.gnome.org/Projects(2f)Gnom … aemon.html this produced the same error as here: https://discuss.cachyos.org/t/gnome-key … emon/11060 but the solution they used also worked for me, however: I still could not get the gnome-keyring-daemon to run. When trying to start it again I get the following output: discover_other_daemon:
1GNOME_KEYRING_CONTROL=/run/user/1000/keyring
I also tried to start it using systemctl start gnome-keyring-daemon but this didnt work, since it couldnt find the gnome-keyring-daemon.service file.
At this point I have no idea what else I can do to eventually get the daemon running to encrypt the passwords. If someone has any other idea on how I could encrypt the passwords I would be very thankfull. I dont care how it will be done, but under no circumstance do I want to risk my head for leaking other peoples login credentials because I was to lazy to fix this.
Offline
#2 2025-12-02 15:14:01
- mithrial
- Member
- Registered: 2017-03-05
- Posts: 119
Re: How to stop NetworkManager from storing passwords in plain text
While this doesn't help directly, I would recommend talking to your IT support for guest accounts. Or use a public Wifi. It cannot work to hide the passphrase, at some point NM has to authenticate and must have access to the password. Root will always find a way to decrypt this password.
Don't give your guests root access to the laptops.
Offline
#3 2025-12-02 17:07:30
- system72
- Member
- Registered: 2025-11-22
- Posts: 338
- Website
Re: How to stop NetworkManager from storing passwords in plain text
read this https://wiki.archlinux.org/title/GNOME/Keyring and this https://wiki.archlinux.org/title/Networ … _passwords
Last edited by system72 (2025-12-02 17:11:43)
Offline
#4 2025-12-07 13:44:44
- Aipathon
- Member
- Registered: 2025-06-04
- Posts: 7
Re: How to stop NetworkManager from storing passwords in plain text
This is may work, but the main problem I have is, that I would like to have a way of doing this in the CLI. The wikipage you linked uses nm-connection-editor or you can us nmtui but I would like to set up the security via a shell script, this way I can automate it much better and be sure that everything works the way I am expecting to.
Offline
#5 2025-12-07 13:48:24
- system72
- Member
- Registered: 2025-11-22
- Posts: 338
- Website
Re: How to stop NetworkManager from storing passwords in plain text
oh srry i dont know any other way then
Last edited by system72 (2025-12-07 13:51:46)
Offline
#6 2025-12-07 15:01:50
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 24,959
Re: How to stop NetworkManager from storing passwords in plain text
Since gnome-keyring-daemon will be an user service you need to use "systemctl --user start/enable/... " https://wiki.archlinux.org/title/Systemd/User
And the link linked above talks about allowing this with the nmcli --ask option, which you can substitute after getting the daemon to run.
Offline
#7 2025-12-07 15:02:38
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 71,519
Re: How to stop NetworkManager from storing passwords in plain text
no possibility for any person to accidentally or intentionally ever gain access to the password, even if they have root access (the amount of people who will have root access, but I dont want to risk my head in case someone abuses it to steal login credentials).
*Everybody!* w/ hw access to the system has root access (that implies everyone who can decrypt an encrypted partition)
Other than that, GKR will ideally require the users login password to open the vault but once open, everyone can just read it.
You don't want to store those credentials at all => https://man.archlinux.org/man/nm-settin … flag_types: / 0x2
Unfortunately there's still no guarantee that "random NM frontend" will obey to that.
The wikipage you linked uses nm-connection-editor or you can us nmtui but I would like to set up the security via a shell script
You can write the connection profile w/ any texteditor or cat heredocs.
Other than that
gnome-keyring-daemon, which I could not get to run
run where and how? In a gnome session?
system72's link shows how to setup GKR, that has nothing to do w/ NM configuration and it's not ar all required to run any GUI to configure the pam modules - they're ASCII text.
Offline