UnlockGnomeKeyring.md

Automatically Unlock Gnome Keyring on Login on Pop OS or Ubuntu

For face or fingerprint unlock methods that log in but don't unlock the keyring

This works on Pop OS and probably any Ubuntu based distro

Uses https://codeberg.org/umglurf/gnome-keyring-unlock and https://github.com/tpm2-software/tpm2-tools

Add yourself to the tss group

This is required to use the TPM

sudo usermod -aG tss your_username

log out and back in, and check that you are in the tss group:

groups

Set up Dependencies

sudo apt install tpm2-tools
git clone https://codeberg.org/umglurf/gnome-keyring-unlock.git

Set up TPM keys and context

mkdir -p ~/.tpm && cd ~/.tpm
tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -Gaes128 -u key.pub -r key.priv
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx

Encrypt password

read password
tpm2_encryptdecrypt -c key.ctx -o password.enc <<<$password

Create Unlock Script

Save the following as ~/Scripts/unlockKeyring.sh:

#!/bin/bash
# Load a TPM Context key, decode password and unlock the gnome keyring
tpm2_createprimary -Q -c ~/.tpm/primary.ctx
tpm2_load -Q -C ~/.tpm/primary.ctx -u ~/.tpm/key.pub -r ~/.tpm/key.priv -c ~/.tpm/key.ctx
tpm2_encryptdecrypt -Qd -c ~/.tpm/key.ctx ~/.tpm/password.enc | ~/gnome-keyring-unlock/unlock.py

Make it run on login

Add the following to the end of your ~/.profile:

# Wait 5 seconds then try to unlock the keyring
(sleep 5; ~/Scripts/unlockKeyring.sh &> ~/Scripts/unlockKeyring.log) &

Worked for me but with a slight change.
My TPM doesn't support EncryptDecrypt. I have had this error when trying to use tpm2_encryptdecrypt : Esys_EncryptDecrypt(0xB0143) - rmt:error(2.0): command code not supported.
So I used a workaround, insipred by solution provided here. This workaround solution does not provide an example of passing an encrypted password to encrypt or decrypt a key, so I have modified it to fit my needs. Now I am sharing my solution with you.

Here is what I have done on my Ubuntu 22.04.

The first steps are as in original post.

sudo usermod -aG tss your_username
sudo apt install tpm2-tools
git clone https://codeberg.org/umglurf/gnome-keyring-unlock.git
mkdir -p ~/.tpm && cd ~/.tpm

The following steps differ from the originally proposed method and use openssl instead of tpm2_encryptdecrypt:

Generate encrypted password

This encrypted password will be later passed as an argument to unlock.py .

dd if=/dev/urandom bs=32 count=1 of=$HOME/.tpm/keyfile # generate secure random key to ecnrypt and decrypt our password 

chmod 600 ~/.tpm/keyfile # make this file only accessible for root user

read password # you will be prompted to enter password that you usually enter when logging into system
echo -n "$password" | openssl enc -aes-256-cbc -pbkdf2 -salt -pass file:$HOME/.tpm/keyfile -out $HOME/.tpm/password.enc 
# Encrypt our plain string password using previously generated random key. 

chmod 600 ~/.tpm/password.enc 

Note. openssl command does not expand ~ (tilde) to your user's home directory (e.g. /home/john) , so make sure you use environment variable $HOME when providing paths.

---

Generate TPM primary object

tpm2 createprimary -c primary.ctx # create primary object for TPM to work with
dd if=/dev/urandom bs=1 count=32 of=aes256.key # randomized key saved as aes256.key file
tpm2 create -C primary.ctx -i aes256.key -u key.pub -r key.priv -p $password 
# wihtin previously created TPM object context (primary.ctx) generate public (-u) 
# and private (-r) keys, with (-i) as random key input and (-p) as plain string 
# password we have entered in previous step

---

Create Unlock Script

#!/bin/bash
# Load a TPM Context key, decode password, and unlock the GNOME keyring
tpm2_createprimary -Q -c ~/.tpm/primary.ctx
tpm2_load -Q -C $HOME/.tpm/primary.ctx -u $HOME/.tpm/key.pub -r $HOME/.tpm/key.priv -c $HOME/.tpm/key.ctx
PASSWORD=$(openssl enc -aes-256-cbc -pbkdf2 -d -salt -pass file:$HOME/.tpm/keyfile -in $HOME/.tpm/password.enc)
echo "$PASSWORD" | $HOME/gnome-keyring-unlock/unlock.py  # pass PASSWORD variable value to python script's stdin

Save this script anywhere and make it executable.

chmod +x unlockKeyring.sh

Note. you can always copy unlock.py to any other directory accessible for your user if you don't want to store git directory gnome-keyring-unlock in your home dir.

As in original post, add the following to the end of your ~/.profile:

# Wait 5 seconds then try to unlock the keyring
(sleep 5; ~/Scripts/unlockKeyring.sh &> ~/Scripts/unlockKeyring.log) &

Note. You can always sleep for less if your computer succeeds to start up quickly. These 5 seconds here are just to make sure the required daemons are already launched and running during system startup. I have removed the sleep and it stil works fine.

If you want to avoid logout, run this command exec su -l $USER.

I prefer user systemd service over .profile because some systems like Deepin do not support .profile. Create the service file in ~/.config/systemd/user directory and use systemctl --user to enable the service works for me. Replace all ~ in the scripts to /home/username to avoid errors.

@joezhouchenye Would you mind sharing your proposed systemd user service file? I would be very thankful!

My unlock script is saved at /home/joe/Startup Scripts/unlockKeyring.sh with the following content:

#!/bin/bash
# Load a TPM Context key, decode password and unlock the gnome keyring
tpm2_createprimary -Q -c /home/joe/.tpm/primary.ctx
tpm2_load -Q -C /home/joe/.tpm/primary.ctx -u /home/joe/.tpm/key.pub -r /home/joe/.tpm/key.priv -c /home/joe/.tpm/key.ctx
tpm2_encryptdecrypt -Qd -c /home/joe/.tpm/key.ctx /home/joe/.tpm/password.enc | /home/joe/Software/gnome-keyring-unlock/unlock.py

The service file is created at ~/.config/systemd/user/custom-unlock-keyring.service with the following content:

[Unit]
Description=Unlock Gnome keyring automatically

[Service]
ExecStart="/home/joe/Startup Scripts/unlockKeyring.sh"

[Install]
WantedBy=default.target

Run the following commands to enable the service:

systemctl --user daemon-reload
systemctl --user enable custom-unlock-keyring.service

@joezhouchenye @kizzard @maksims-terjohins Thanks a lot guys, works like charm on my PopOS 22.04.

Does this prevent "Evil Maid" like attacks?

The script is there and so if a session is obtained the attacker just need to execute the script. Isn't it? Am I missing something?

@Xwang1976 you are correct - this doesn't prevent evil maid attacks. It is only secure against an attacker who can read the contents of your drive. If the attacker has a session and can execute commands, they may steal your password by decoding it with the TPM.

Thanks to everyone in this thread who has contributed additional ideas and script samples!