I've just released a python keyring companion package to encrypt the passwords in a file, available here.
Description
The project is mainly targeted to provide a sufficiently secure storage for plain text passwords (keyring) in a simple portable file, where the default keyring storage implementation of a desktop environment doesn't fit.
Cryptography
The keyring is secured with a keyring password. A raw Argon2(\$argon2id\$v=19\$m=65536,t=15,p=2) hash is generated from the keyring password, which is used as a key for AES encryption of plaintext passwords in OCB mode. The resulting encrypted data is persisted, together with the Argon2 salt, the OCB nonce and the OCB MAC. This value is stored with service/userid reference in a text file (.ini format).
Initially, a static reference value, treated as a plaintext password is stored as well, and this values is used for verification of the keyring password in subsequent accesses.
Attack surface
The static reference value might allow some form of attack, as it encrypts a well known value. Hopefully, the Argon2 hash, combined with the AES encryption raises the effort to break the key sufficiently high.
Conclusion
Is this approach sufficient for establishing privacy of the secured data?
