OSCrypt for POSIX uses libsecret to store a randomised encryption key.

components/os_crypt/key_storage_linux.cc

Index: components/os_crypt/key_storage_linux.cc
diff --git a/components/os_crypt/key_storage_linux.cc b/components/os_crypt/key_storage_linux.cc
new file mode 100644
index 0000000000000000000000000000000000000000..b95085969fce38984c7a6898639ed28db0f2b151
--- /dev/null
+++ b/components/os_crypt/key_storage_linux.cc
@@ -0,0 +1,89 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/os_crypt/key_storage_linux.h"
+
+#include "base/base64.h"
+#include "base/rand_util.h"
+#include "base/strings/string_number_conversions.h"
+#include "components/os_crypt/libsecret_util_posix.h"
+
+#ifdef OFFICIAL_BUILD

[vabr (Chromium), 2016/05/13 15:10:17]

I'm not sure we need to differentiate the name here. It is not particularly
user-facing, and there is no problem arising from potential clashes between
Chrome and Chromium running on the same computer (it can also be multiple
instances of the official build in parallel, anyway). So to keep out unnecessary
#ifdefs, I would just go with the "Chromium" version.

[cfroussios, 2016/05/13 17:09:11]

This name is the name Seahorse uses to display the entry. I did it to be
consistent with the mac implementation, which also does this.

+const char kKeyStorageEntryName[] = "Chrome Safe Storage";
+#else
+const char kKeyStorageEntryName[] = "Chromium Safe Storage";
+#endif
+
+// static
+std::unique_ptr<KeyStorage> KeyStorage::FindService() {

[vabr (Chromium), 2016/05/13 15:10:17]

nit: Here "Find" is a bit confusing. It sounds like there is a pool of already
created objects, which are searched for the one to return. Instead this just
creates a new one or gives up completely.

My suggestion: The appropriate name would be Create().

[cfroussios, 2016/05/13 17:09:11]

Done.

+  std::unique_ptr<KeyStorage> key_storage;
+
+  key_storage.reset(new KeyStorageLibsecret());

[vabr (Chromium), 2016/05/13 15:10:17]

nit: You can merge lines 20 and 22.

[cfroussios, 2016/05/13 17:09:11]

I added this redundant expression to be symmetrical with other KeyStorages, that
are not yet implemented.

+  if (key_storage->Init())
+    return key_storage;
+
+  return nullptr;
+}
+
+const SecretSchema kKeystoreSchema = {
+    "chrome_libsecret_os_crypt_password",
+    SECRET_SCHEMA_NONE,
+    {
+        {nullptr, SECRET_SCHEMA_ATTRIBUTE_STRING},
+    }};
+
+std::string AddRandomPasswordInLibsecret() {

[vabr (Chromium), 2016/05/13 15:10:17]

nit: Please put local (=not exported beyond this .cc file) functions into an
anonymous namespace.

[cfroussios, 2016/05/13 17:09:11]

Done.

+  std::string password;
+  base::Base64Encode(base::RandBytesAsString(128 / 8), &password);
+  GError* error = nullptr;
+  LibsecretLoader::secret_password_store_sync(
+      &kKeystoreSchema, nullptr, kKeyStorageEntryName, password.c_str(),
+      nullptr, &error, nullptr);
+
+  if (error) {
+    VLOG(1) << "Libsecret lookup failed: " << error->message;
+    return std::string();
+  }
+  return password;
+}
+
+std::string KeyStorageLibsecret::GetKey() {
+  GError* error = nullptr;
+  LibsecretAttributesBuilder attrs;
+  SecretValue* password_libsecret = LibsecretLoader::secret_service_lookup_sync(
+      nullptr, &kKeystoreSchema, attrs.Get(), nullptr, &error);
+
+  if (error) {
+    VLOG(1) << "Libsecret lookup failed: " << error->message;
+    g_error_free(error);
+    return "";

[vabr (Chromium), 2016/05/13 15:10:17]

"" -> std::string()

[cfroussios, 2016/05/13 17:09:11]

Done.

+  } else if (password_libsecret == nullptr) {
+    return AddRandomPasswordInLibsecret();
+  } else {
+    std::string password(
+        LibsecretLoader::secret_value_get_text(password_libsecret));
+    LibsecretLoader::secret_value_unref(password_libsecret);
+    return password;
+  }
+}
+
+bool KeyStorageLibsecret::Init() {
+  return LibsecretLoader::EnsureLibsecretLoaded();
+}
+
+KeyStorageMock::KeyStorageMock(std::string in_key) : key(in_key) {}

[vabr (Chromium), 2016/05/13 15:10:17]

Either use std::move(in_key) or change the type of in_key to "const
std::string&" to avoid unnecessary copies.

[cfroussios, 2016/05/13 17:09:11]

Done.

+
+std::string KeyStorageMock::GetKey() {
+  if (key == "")

[vabr (Chromium), 2016/05/13 15:10:17]

if (key_.empty())

(empty() is more efficient than string comparison.)

[cfroussios, 2016/05/13 17:09:11]

Done.

+    base::Base64Encode(base::RandBytesAsString(128 / 8), &key);
+  return key;
+}
+
+bool KeyStorageMock::Init() {
+  return true;
+}
+
+void KeyStorageMock::ResetTo(std::string in_key) {
+  key = std::move(in_key);
+}