Skip to content

Instantly share code, notes, and snippets.

@kizzard

kizzard/UnlockGnomeKeyring.md

Last active April 24, 2025 23:21
Show Gist options
  • Save kizzard/166470fefe8fa64d2aa65e0235115318 to your computer and use it in GitHub Desktop.
Save kizzard/166470fefe8fa64d2aa65e0235115318 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
UnlockGnomeKeyring.md

Automatically Unlock Gnome Keyring on Login on Pop OS or Ubuntu

For face or fingerprint unlock methods that log in but don't unlock the keyring

This works on Pop OS and probably any Ubuntu based distro

Uses https://codeberg.org/umglurf/gnome-keyring-unlock and https://github.com/tpm2-software/tpm2-tools

Add yourself to the tss group

This is required to use the TPM

sudo usermod -aG tss your_username

log out and back in, and check that you are in the tss group:

groups

Set up Dependencies

sudo apt install tpm2-tools
git clone https://codeberg.org/umglurf/gnome-keyring-unlock.git

Set up TPM keys and context

mkdir -p ~/.tpm && cd ~/.tpm
tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -Gaes128 -u key.pub -r key.priv
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx

Encrypt password

read password
tpm2_encryptdecrypt -c key.ctx -o password.enc <<<$password

Create Unlock Script

Save the following as ~/Scripts/unlockKeyring.sh:

#!/bin/bash
# Load a TPM Context key, decode password and unlock the gnome keyring
tpm2_createprimary -Q -c ~/.tpm/primary.ctx
tpm2_load -Q -C ~/.tpm/primary.ctx -u ~/.tpm/key.pub -r ~/.tpm/key.priv -c ~/.tpm/key.ctx
tpm2_encryptdecrypt -Qd -c ~/.tpm/key.ctx ~/.tpm/password.enc | ~/gnome-keyring-unlock/unlock.py

Make it run on login

Add the following to the end of your ~/.profile:

# Wait 5 seconds then try to unlock the keyring
(sleep 5; ~/Scripts/unlockKeyring.sh &> ~/Scripts/unlockKeyring.log) &
@tbal
Copy link

tbal commented Mar 26, 2025

@joezhouchenye Would you mind sharing your proposed systemd user service file? I would be very thankful!

@joezhouchenye
Copy link

My unlock script is saved at /home/joe/Startup Scripts/unlockKeyring.sh with the following content:

#!/bin/bash
# Load a TPM Context key, decode password and unlock the gnome keyring
tpm2_createprimary -Q -c /home/joe/.tpm/primary.ctx
tpm2_load -Q -C /home/joe/.tpm/primary.ctx -u /home/joe/.tpm/key.pub -r /home/joe/.tpm/key.priv -c /home/joe/.tpm/key.ctx
tpm2_encryptdecrypt -Qd -c /home/joe/.tpm/key.ctx /home/joe/.tpm/password.enc | /home/joe/Software/gnome-keyring-unlock/unlock.py

The service file is created at ~/.config/systemd/user/custom-unlock-keyring.service with the following content:

[Unit]
Description=Unlock Gnome keyring automatically

[Service]
ExecStart="/home/joe/Startup Scripts/unlockKeyring.sh"

[Install]
WantedBy=default.target

Run the following commands to enable the service:

systemctl --user daemon-reload
systemctl --user enable custom-unlock-keyring.service

@tbal
Copy link

tbal commented Mar 27, 2025

@joezhouchenye @kizzard @maksims-terjohins Thanks a lot guys, works like charm on my PopOS 22.04.

@Xwang1976
Copy link

Does this prevent "Evil Maid" like attacks?

The script is there and so if a session is obtained the attacker just need to execute the script. Isn't it? Am I missing something?

@kizzard
Copy link
Author

kizzard commented Apr 11, 2025

@Xwang1976 you are correct - this doesn't prevent evil maid attacks. It is only secure against an attacker who can read the contents of your drive. If the attacker has a session and can execute commands, they may steal your password by decoding it with the TPM.

Thanks to everyone in this thread who has contributed additional ideas and script samples!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment