For decades, Linux has been the backbone of servers, cloud infrastructure, and embedded systems worldwide. Yet when it comes to one of the most fundamental aspects of modern computing — securely managing user credentials on the desktop — the open-source operating system remains stubbornly behind its proprietary rivals. A forthcoming talk at FOSDEM 2026, the premier European open-source developer conference, is poised to shine an uncomfortable spotlight on this gap, and the developer behind it is calling for nothing less than a complete rethinking of how Linux handles credentials.
Alfie Emanuele, a software engineer and security researcher, has announced a presentation titled “Credentials for Linux” scheduled for FOSDEM 2026, which will take place in Brussels in early February 2026. According to Emanuele’s personal site, the talk aims to dissect the current state of credential management on Linux desktops, compare it unfavorably with the integrated solutions available on Windows and macOS, and propose a path forward that could finally bring Linux up to parity — or beyond — in this critical area of user security.
A Fragmented Ecosystem Where Secrets Go to Die
The problem Emanuele is tackling is not new, but it has grown more urgent as Linux desktop adoption has accelerated in certain enterprise and developer segments. On Windows, the Credential Manager and Windows Hello provide a unified, hardware-backed system for storing passwords, tokens, and cryptographic keys. On macOS, the Keychain has served a similar role for over two decades, tightly integrated with the operating system, biometric authentication via Touch ID and Face ID, and Apple’s Secure Enclave hardware. Both platforms offer developers a single, well-documented API for credential storage that users interact with seamlessly, often without even knowing it.
Linux, by contrast, offers a patchwork of competing and often incompatible solutions. GNOME Keyring, KDE Wallet, and the freedesktop.org Secret Service API each provide some credential storage capabilities, but none has achieved the universal adoption or deep system integration that their proprietary counterparts enjoy. Applications frequently implement their own credential storage mechanisms, storing secrets in plaintext configuration files, SQLite databases, or custom encrypted formats scattered across the user’s home directory. The result is a security posture that varies wildly from one application to the next and from one desktop environment to another.
The Hardware Gap: TPMs, Secure Enclaves, and the Missing Link
One of the most significant dimensions of this problem is hardware-backed credential storage. Modern Windows and macOS systems leverage Trusted Platform Modules (TPMs) and secure enclaves to ensure that cryptographic keys and sensitive credentials never leave dedicated security hardware. This means that even if an attacker gains full access to the operating system, extracting the actual credential material remains extraordinarily difficult. Windows Hello for Business, for example, can bind user authentication credentials to a device’s TPM, making phishing and credential theft dramatically harder.
Linux has had TPM support for years through the kernel’s TPM subsystem and tools like tpm2-tools, but the integration between TPM hardware and desktop credential management remains rudimentary at best. There is no standard, user-friendly mechanism for a Linux desktop application to say, “Store this credential in the TPM” in the way that a Windows application can leverage the platform’s credential APIs to achieve hardware binding transparently. Emanuele’s talk, as described on his website, is expected to address this hardware integration gap directly, arguing that any serious credential management solution for Linux must treat TPM and similar hardware security modules as first-class citizens rather than afterthoughts.
FIDO2, Passkeys, and the Urgency of the Moment
The timing of this conversation is particularly significant given the industry-wide push toward passkeys and FIDO2-based authentication. Major technology companies including Google, Apple, and Microsoft have been aggressively promoting passkeys as a replacement for traditional passwords. Passkeys rely on public-key cryptography and are designed to be stored in platform authenticators — essentially, the operating system’s built-in credential management system. On Windows and macOS, passkey support is deeply integrated into the OS, with seamless synchronization across devices through Microsoft accounts and iCloud Keychain, respectively.
For Linux users, the passkey experience is considerably more fragmented. Browser-based implementations exist, and hardware security keys like YubiKeys work well, but there is no platform-level passkey authenticator equivalent to what Windows and macOS provide. This means that as the web moves increasingly toward passwordless authentication, Linux desktop users risk being left without a first-class experience. The FIDO Alliance’s specifications are platform-agnostic in theory, but in practice, the absence of a unified credential management layer on Linux creates a significant barrier to adoption. Emanuele’s FOSDEM presentation appears designed to galvanize the Linux community around solving this specific problem before the gap becomes insurmountable.
The Systemd Factor and the Politics of Integration
Any discussion of system-level services on modern Linux inevitably touches on systemd, the init system and service manager that has become the de facto standard on most major distributions. Lennart Poettering, systemd’s creator and lead developer, has in recent years turned significant attention to security-related features, including systemd-cryptenroll for binding disk encryption to TPMs and systemd-homed for portable, encrypted home directories. These efforts represent the closest thing Linux has to a platform-level approach to credential and identity management, but they remain controversial within parts of the community that resist systemd’s expanding scope.
The question of whether credential management should be a systemd responsibility, a desktop environment responsibility, or something handled by an entirely independent project is one of the key architectural debates that Emanuele’s talk is likely to engage with. The freedesktop.org Secret Service specification, implemented by both GNOME Keyring and KDE Wallet, was an early attempt at standardization, but it predates the passkey era and was not designed with hardware security modules in mind. A new approach would need to bridge the gap between low-level kernel and hardware interfaces — TPMs, FIDO2 authenticators, and potentially ARM TrustZone or Intel SGX enclaves — and the high-level APIs that application developers actually use.
Enterprise Implications and the Cost of Inaction
For enterprise IT departments, the credential management gap on Linux is more than an academic concern. As organizations increasingly deploy Linux desktops for developers, engineers, and security-conscious roles, the inability to enforce hardware-backed credential policies comparable to those available on Windows creates real compliance and security challenges. Zero-trust architectures, which are becoming the standard framework for enterprise security, depend heavily on strong device identity and credential binding — capabilities that are mature on Windows through solutions like Microsoft Entra ID (formerly Azure Active Directory) and Conditional Access policies.
Linux enterprise solutions like Red Hat’s SSSD (System Security Services Daemon) and FreeIPA provide identity management and Kerberos-based authentication, but these are primarily server and network-oriented tools. They do not address the desktop credential storage problem in the way that enterprise IT administrators need. The gap is particularly acute for organizations subject to regulations like NIST 800-171 or the EU’s NIS2 directive, which increasingly mandate hardware-backed authentication for privileged access. Without a platform-level solution, enterprises are forced to layer on third-party tools or accept a lower security baseline for their Linux endpoints.
A Call to Arms at FOSDEM
FOSDEM has long served as a venue where critical infrastructure discussions happen in the open-source world. The conference, held annually at the Université libre de Bruxelles, draws thousands of developers and has been the birthplace of numerous important open-source initiatives. Emanuele’s decision to bring the credential management discussion to this venue, as announced on his talks page, suggests an intent to move beyond complaint and toward concrete action, potentially rallying contributors from across the Linux ecosystem around a shared specification or reference implementation.
The challenge ahead is formidable. Building a credential management system that works across GNOME, KDE, and other desktop environments, integrates with TPMs and FIDO2 authenticators, supports the emerging passkey ecosystem, satisfies enterprise compliance requirements, and does all of this without requiring users to have a Ph.D. in cryptography is an extraordinarily ambitious undertaking. But the alternative — continuing to let every application and desktop environment reinvent the wheel while Windows and macOS pull further ahead — is increasingly untenable. If the Linux desktop is ever to be taken seriously as a platform for mainstream and enterprise use, solving the credential problem is not optional. It is existential. Emanuele’s FOSDEM 2026 talk may well mark the moment the community decided to stop ignoring the elephant in the room and start building the solution it has needed for years.
WebProNews is an iEntry Publication