I am trying to find a solution to store secrets (to be used by my application) on Ubuntu Server 20.04. I have used Windows' DPAPI in the past to store secrets using the protection of the user account accessing the API. Is there an official package on apt or snap providing this? Is there something like that inside the Linux kernel?
I would use the file system ACL but, this is not enough for me as I want the files to be unusable if the hard drive is compromised.
This project stores secrets on windows/max/linux.
https://pypi.org/project/keyring/
Specifically:
It's a good reference no matter what language you're using.
To achieve a similar workflow to DPAPI, generate a 16 byte secure random password, save it in the keychain, and use it to encrypt your data.
If you have more than 1 file, you will want to place an 16 byte secure random salt in each file, and sha3 hash (or, better, hkdf) it with your random password. This will give you 1 key per file without filling up the chain.