GNOME/Keyring
GNOME Keyring is "a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications."
Contents
Installation
When using GNOME, gnome-keyring is installed automatically as a part of the gnome group. Otherwise install the gnome-keyring package. Install libsecret to allow applications to use your keyrings. libgnome-keyring is deprecated, however, some applications may require it.
Extra utilities related to GNOME keyring include:
- secret-tool — Access the GNOME keyring (and any other service implementing the DBus Secret Service API) from the command line.
- gnome-keyring-query — Provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring. (uses the deprecated libgnome-keyring)
- || gnome-keyring-queryAUR
- gkeyring — Query passwords from the command line. (uses the deprecated libgnome-keyring)
Manage using GUI
You can manage the contents of GNOME Keyring using Seahorse. Install it with the package seahorse.
It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" drop-down menu, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."
Using the keyring outside GNOME
Without a display manager
Automatic login
If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring.
Console login
When using console-based login, the keyring daemon can be started by either PAM or xinitrc. PAM can also unlock the keyring automatically at login.
PAM method
Start the gnome-keyring-daemon from /etc/pam.d/login
:
Add auth optional pam_gnome_keyring.so
at the end of the auth
section and session optional pam_gnome_keyring.so auto_start
at the end of the session
section.
/etc/pam.d/login
#%PAM-1.0 auth required pam_securetty.so auth requisite pam_nologin.so auth include system-local-login auth optional pam_gnome_keyring.so account include system-local-login session include system-local-login session optional pam_gnome_keyring.so auto_start
For SDDM, edit instead the configuration file /etc/pam.d/sddm
.
Next, for GDM, add password optional pam_gnome_keyring.so
to the end of /etc/pam.d/passwd
.
/etc/pam.d/passwd
#%PAM-1.0 #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 #password required pam_unix.so sha512 shadow use_authtok password required pam_unix.so sha512 shadow nullok password optional pam_gnome_keyring.so
- To use automatic unlocking, the same password for the user account and the keyring have to be set.
- You will still need the code in
~/.xinitrc
below in order to export the environment variables required.
xinitrc method
Start the gnome-keyring-daemon from xinitrc:
~/.xinitrc
eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh) export SSH_AUTH_SOCK
See Xfce#SSH agents for use in Xfce.
If using i3 and ssh is not showing the password prompt, giving the following error:
sign_and_send_pubkey: signing failed: agent refused operation Permission denied (publickey).
then you need to add the DISPLAY environment variable to dbus-daemon via the .xinitrc:
~/.xinitrc
dbus-update-activation-environment --systemd DISPLAY eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh) export SSH_AUTH_SOCK ... exec i3
~/.Xauthority
(XAUTHORITY
) then you will have to also include this environment variable in the aforementioned dbus-update-activation-environment
command.With a display manager
When using a display manager, the keyring works out of the box for most cases. The following display managers automatically unlock the keyring once you log in:
For GDM and LightDM, note the keyring must be named login to be automatically unlocked.
To enable the keyring for applications run through the terminal, such as SSH, add the following to your ~/.bash_profile
, ~/.zshenv
, or similar:
~/.bash_profile
if [ -n "$DESKTOP_SESSION" ];then eval $(gnome-keyring-daemon --start) export SSH_AUTH_SOCK fi
~/.config/fish/config.fish
if test -n "$DESKTOP_SESSION" set (gnome-keyring-daemon --start | string split "=") end
SSH keys
To add your SSH key:
$ ssh-add ~/.ssh/id_rsa Enter passphrase for /home/mith/.ssh/id_rsa:
To list automatically loaded keys:
$ ssh-add -L
To disable all keys:
$ ssh-add -D
Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you log in. If you check this, you will not need to enter your passphrase again!
Alternatively, to permanently save the a passphrase in the keyring, use ssh-askpass from package seahorse:
/usr/lib/seahorse/ssh-askpass my_key
.pub
file in the same directory as the private key (~/.ssh/id_rsa.pub
in the example). Also, make sure that the public key is the file name of the private key plus .pub
(for example, my_key.pub
).Start SSH and Secrets components of keyring daemon
If you are starting Gnome Keyring with a display manager or the Pam method described above and you are NOT using Gnome, Unity or Mate as your desktop you may find that the SSH and Secrets components are not being started automatically. You can fix this by copying the desktop files gnome-keyring-ssh.desktop and gnome-keyring-secrets.desktop from /etc/xdg/autostart/ to ~/.config/autostart/ and deleting the OnlyShowIn line.
$ cp /etc/xdg/autostart/{gnome-keyring-secrets.desktop,gnome-keyring-ssh.desktop} ~/.config/autostart/ $ sed -i '/^OnlyShowIn.*$/d' ~/.config/autostart/gnome-keyring-secrets.desktop $ sed -i '/^OnlyShowIn.*$/d' ~/.config/autostart/gnome-keyring-ssh.desktop
Disable keyring daemon components
If you wish to run an alternative SSH agent (e.g. ssh-agent or gpg-agent, you need to disable the ssh
component of GNOME Keyring.
To do so in an account-local way, copy /etc/xdg/autostart/gnome-keyring-ssh.desktop
to ~/.config/autostart/
and then append the line Hidden=true
to the copied file. Then log out.
SSH_AUTH_SOCK
to point to gnome-keyring regardless if it is running or not. To prevent this, you need to set the environment variable GSM_SKIP_SSH_AGENT_WORKAROUND before gnome-shell is started. One way to do this is to add the line GSM_SKIP_SSH_AGENT_WORKAROUND DEFAULT=1
to ~/.pam_environment
.Tips and tricks
Integration with applications
Flushing passphrases
gnome-keyring-daemon -r -d
This command starts gnome-keyring-daemon, shutting down previously running instances.
Git integration
The GNOME keyring is useful in conjuction with Git when you are pushing over HTTPS.
Install the libsecret package.
Set Git up to use the helper:
$ git config --global credential.helper /usr/lib/git-core/git-credential-libsecret
Next time you do a git push, you are asked to unlock your keyring, if not unlocked already.
GnuPG integration
Several applications which use GnuPG require a pinentry-program
to be set. Set the following to use Gnome 3 pinentry for Gnome Keyring to manage passphrase prompts.
~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-gnome3
Another option is to force loopback for GPG which should allow the passphrase to be entered in the application.
Troubleshooting
Passwords are not remembered
If you get a password prompt every time you login, and you find that passwords are not saved, you might need to create/set a default keyring.
Ensure that the seahorse package is installed, open it ("Passwords and Keys" in system settings) and select View > By Keyring. If there is no keyring in the left column (it will be marked with a lock icon), go to File > New > Password Keyring and give it a name. You will be asked to enter a password. If you do not give the keyring a password it will be unlocked automatically, even when using autologin, but passwords will not be stored securely. Finally, right-click on the keyring you just created and select "Set as default".
Resetting the keyring
If you get the error "The password you use to login to your computer no longer matches that of your login keyring", you can simply reset your gnome keyring.
Remove "login.keyring" and "user.keystore" from /home/{username}/.local/share/keyrings/. After removing the files, simply log out and log in again. Obviously, this will remove your saved keys.