Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Single Desktop

Open Sesame runs as a full desktop suite on COSMIC/Wayland systems, providing secret management, window management overlays, clipboard isolation, input capture, and application launching across trust profiles.

Package Model

A desktop installation requires both packages:

PackageContents
open-sesameCLI (sesame), headless daemons: profile, secrets, launcher, snippets
open-sesame-desktopDesktop daemons: wm, clipboard, input; Wayland/COSMIC integration

The open-sesame-desktop package depends on open-sesame. Installing the desktop package pulls in the headless package automatically.

Installation

APT (Ubuntu 24.04 Noble)

curl -fsSL https://scopecreep-zip.github.io/open-sesame/gpg.key \
  | sudo gpg --dearmor -o /usr/share/keyrings/open-sesame.gpg

echo "deb [signed-by=/usr/share/keyrings/open-sesame.gpg] \
  https://scopecreep-zip.github.io/open-sesame noble main" \
  | sudo tee /etc/apt/sources.list.d/open-sesame.list

sudo apt update
sudo apt install open-sesame open-sesame-desktop

Package integrity is verified via GPG-signed repository indices and SLSA build provenance attestations generated by GitHub Actions. See SECURITY.md for verification commands.

Nix Flake

nix profile install github:ScopeCreep-zip/open-sesame

Pre-built binaries are available from the scopecreep-zip.cachix.org binary cache with Ed25519 signing. For home-manager integration, add the flake input and include the Open Sesame module in the home-manager configuration.

From Source

cargo build --release --workspace

The seven daemon binaries (daemon-profile, daemon-secrets, daemon-launcher, daemon-snippets, daemon-wm, daemon-clipboard, daemon-input) and the sesame CLI are placed in target/release/.

Initialization

After installation, initialize the installation identity and default vault:

sesame init

This command performs the following:

  1. Generates a UUID v4 installation identifier, persisted to ~/.config/pds/installation.toml as an InstallationConfig (core-config/src/schema_installation.rs).
  2. Derives a deterministic namespace UUID for profile ID generation (namespace field).
  3. Creates the default trust profile vault (vaults/default.db) as a SQLCipher-encrypted database.
  4. Enrolls the first authentication factor (password via Argon2id KDF or SSH agent key).
  5. Installs and enables systemd user services and targets.

Optionally, an organizational namespace can be provided at init time:

sesame init --org braincraft.io

This populates the org field in installation.toml with the domain and a deterministic namespace derived as uuid5(NAMESPACE_URL, domain), per the OrgConfig type.

Daemon Architecture

All seven daemons run as systemd user services:

DaemonResponsibilityTargetSecurityLevel
daemon-profileIPC bus host, key management, profile activation, auditHeadlessInternal
daemon-secretsSQLCipher vaults, ACL, rate limitingHeadlessSecretsOnly
daemon-launcherApplication launching, frecency scoringHeadlessInternal
daemon-snippetsSnippet managementHeadlessInternal
daemon-wmWindow management, Alt+Tab overlayDesktopInternal
daemon-clipboardClipboard isolation per profileDesktopProfileScoped
daemon-inputKeyboard/mouse capture, hotkey routingDesktopInternal

Inter-daemon communication uses the Noise IK protocol (X25519 + ChaChaPoly + BLAKE2s) over a Unix domain socket IPC bus hosted by daemon-profile. Each daemon registers its X25519 static public key in the clearance registry (core-ipc/src/registry.rs). Messages are routed based on SecurityLevel ordering: Open < Internal < ProfileScoped < SecretsOnly. A daemon can only emit messages at or below its own clearance level, and only receives messages at or below its clearance level.

systemd Targets

Two systemd targets compose the service graph:

TargetWantedByDaemons
open-sesame-headless.targetdefault.targetprofile, secrets, launcher, snippets
open-sesame-desktop.targetgraphical-session.targetwm, clipboard, input

The desktop target declares Requires=open-sesame-headless.target graphical-session.target. Starting the desktop target starts all headless daemons first. Stopping the desktop target leaves headless daemons running, so secret management continues when the graphical session is inactive.

All daemon services use Type=notify with WatchdogSec=30. Services that fail restart after RestartSec=5.

Service Dependency Graph

default.target
  +-- open-sesame-headless.target
        +-- open-sesame-profile.service
        +-- open-sesame-secrets.service   (Requires/After: profile)
        +-- open-sesame-launcher.service  (After: profile)
        +-- open-sesame-snippets.service  (After: profile)

graphical-session.target
  +-- open-sesame-desktop.target          (Requires: headless)
        +-- open-sesame-wm.service
        +-- open-sesame-clipboard.service
        +-- open-sesame-input.service

File Locations

Configuration

PathPurpose
~/.config/pds/config.tomlUser configuration: profiles, crypto, agents, extensions
~/.config/pds/installation.tomlInstallation identity: UUID, namespace, org, machine binding
~/.config/pds/ssh-agent.envSSH agent socket path for factor enrollment
/etc/pds/policy.tomlSystem policy overrides (enterprise-managed, read-only at runtime)

Configuration follows layered inheritance: system policy > user config > built-in defaults. Each PolicyOverride (core-config/src/schema.rs) records a dotted key path, enforced value, and source string (e.g., /etc/pds/policy.toml).

Runtime

PathPurpose
$XDG_RUNTIME_DIR/pds/Runtime directory
$XDG_RUNTIME_DIR/pds/bus.sockNoise IK IPC bus socket

The IPC socket path can be overridden via the global.ipc.socket_path key in config.toml. Default channel capacity per subscriber is 1024 messages with a 5-second slow-subscriber timeout (IpcConfig in core-config/src/schema.rs).

Data

PathPurpose
~/.config/pds/vaults/{profile}.dbSQLCipher encrypted vault per trust profile
~/.config/pds/launcher/{profile}.frecency.dbApplication launch frecency database
~/.config/pds/audit/BLAKE3 hash-chained audit log

Each trust profile name maps 1:1 to a vault file. The TrustProfileName type (core-types/src/profile.rs) enforces path safety: ASCII alphanumeric plus hyphens and underscores, max 64 bytes, no path traversal components.

Security Hardening

Each daemon service applies the following systemd directives (see contrib/systemd/*.service):

  • NoNewPrivileges=yes – prevents privilege escalation.
  • ProtectSystem=strict – mounts the filesystem read-only except explicit ReadWritePaths.
  • ProtectHome=read-only – prevents writes outside ~/.config/pds/ and $XDG_RUNTIME_DIR/pds/.
  • LimitCORE=0 – disables core dumps.
  • LimitMEMLOCK=64M – permits memfd_secret(2) and mlock(2) allocations for secure memory.
  • MemoryMax – per-daemon ceiling (128M for profile, 256M for secrets).

The secrets daemon additionally declares PrivateNetwork=yes, preventing all network access from the process that holds decrypted vault keys.

Landlock filesystem sandboxing and seccomp-bpf syscall filtering are applied in-process by each daemon at startup. Partially-enforced Landlock is treated as a fatal error; the daemon does not start with degraded isolation.

Desktop Overlay

On COSMIC desktops, daemon-wm provides an Alt+Tab window switching overlay rendered via the COSMIC compositor backend (platform-linux). The overlay displays windows scoped to the active trust profile. Profile switching is routed through the IPC bus at Internal security level.

Verification

After initialization:

# Verify all daemons are healthy
sesame status

# Verify systemd targets
systemctl --user status open-sesame-headless.target
systemctl --user status open-sesame-desktop.target

# Verify IPC bus socket exists
ls -la $XDG_RUNTIME_DIR/pds/bus.sock

# Verify vault was created
ls -la ~/.config/pds/vaults/default.db