GNOME Keyring
From GnomeKeyring:
- GNOME Keyring is a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications.
Contents
Installation
When using GNOME, gnome-keyring is installed automatically as a part of the gnome group. Otherwise install gnome-keyring from the official repositories.
Manage using GUI
You can manage the contents of GNOME Keyring using Seahorse. Install it with the package seahorse from the official repositories.
It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" drop-down menu, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."
Use without GNOME, and without a display manager
Automatic login
If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring.
Console login
When using console-based login, the keyring daemon can be started by either PAM or xinitrc. PAM can also unlock the keyring automatically at login.
PAM method
Start the gnome-keyring-daemon from /etc/pam.d/login
:
Add auth optional pam_gnome_keyring.so
at the end of the auth
section and session optional pam_gnome_keyring.so auto_start
at the end of the session
section.
/etc/pam.d/login
#%PAM-1.0 auth required pam_securetty.so auth requisite pam_nologin.so auth include system-local-login auth optional pam_gnome_keyring.so account include system-local-login session include system-local-login session optional pam_gnome_keyring.so auto_start
Next, add password optional pam_gnome_keyring.so
to the end of /etc/pam.d/passwd
.
/etc/pam.d/passwd
#%PAM-1.0 #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 #password required pam_unix.so sha512 shadow use_authtok password required pam_unix.so sha512 shadow nullok password optional pam_gnome_keyring.so
xinitrc method
Start the gnome-keyring-daemon from Xinit:
~/.xinitrc
eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh) export SSH_AUTH_SOCK
The skeleton .xinitrc
will start a D-Bus session. See FS#13986 for more info.
If you experience problems retrieving information from the keyring, make sure that the variables DBUS_SESSION_BUS_ADDRESS
is exported in the target environment. (DBUS_SESSION_BUS_PID
is no longer exported)
See SSH Agents for use in Xfce.
Use without GNOME, but with a display manager
When using a display manager, the keyring works out of the box for most cases. The following display managers automatically unlock the keyring once you log in:
For KDM, see KDM#KDM and Gnome-keyring.
To enable the keyring for applications run through the terminal, such as SSH, add the following to your ~/.bash_profile
, ~/.zshenv
, or similar:
~/.zshenv
if [ -n "$DESKTOP_SESSION" ];then eval $(gnome-keyring-daemon --start) export SSH_AUTH_SOCK fi
Disable keyring daemon
In case if you run your own version of the SSH agent (e.g. ssh-agent), you need to disable the SSH component in GNOME keyring daemon:
ln -sf /dev/null /etc/xdg/autostart/gnome-keyring-ssh.desktop
Then you need to logout to make the effect.
SSH keys
To add your SSH key:
$ ssh-add ~/.ssh/id_dsa Enter passphrase for /home/mith/.ssh/id_dsa:
To list automatically loaded keys:
$ ssh-add -L
To disable all keys;
$ ssh-add -D
Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you log in. If you check this, you will not need to enter your passphrase again!
Alternatively, to permanently save the a passphrase in the keyring, use seahorse-ssh-askpass from package seahorse:
/usr/lib/seahorse/seahorse-ssh-askpass my_key
Integration with applications
Flushing passphrases
gnome-keyring-daemon -r -d
This command starts gnome-keyring-daemon, shutting down previously running instances.
GNOME Keyring and Git
The GNOME keyring is useful in conjuction with Git when you are pushing over HTTPS.
First install the package libgnome-keyring from the official repositories.
Next compile the helper:
$ cd /usr/share/git/credential/gnome-keyring # make
Set Git up to use the helper:
$ git config --global credential.helper /usr/lib/git-core/git-credential-gnome-keyring
Next time you do a git push, you are asked to unlock your keyring, if not unlocked already.
Useful tools
secret-tool
(in the libsecret package) can access the GNOME keyring (and any other service implementing the DBus Secret Service API) from the command line.
gnome-keyring-queryAUR from the AUR provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring.