Skip to content

Instantly share code, notes, and snippets.

@kizzard

kizzard/UnlockGnomeKeyring.md

Last active December 6, 2025 16:00
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kizzard/166470fefe8fa64d2aa65e0235115318 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kizzard/166470fefe8fa64d2aa65e0235115318 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
UnlockGnomeKeyring.md

Automatically Unlock Gnome Keyring on Login on Pop OS or Ubuntu

For face or fingerprint unlock methods that log in but don't unlock the keyring

This works on Pop OS and probably any Ubuntu based distro

Uses https://codeberg.org/umglurf/gnome-keyring-unlock and https://github.com/tpm2-software/tpm2-tools

Add yourself to the tss group

This is required to use the TPM

sudo usermod -aG tss your_username

log out and back in, and check that you are in the tss group:

groups

Set up Dependencies

sudo apt install tpm2-tools
git clone https://codeberg.org/umglurf/gnome-keyring-unlock.git

Set up TPM keys and context

mkdir -p ~/.tpm && cd ~/.tpm
tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -Gaes128 -u key.pub -r key.priv
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx

Encrypt password

read password
tpm2_encryptdecrypt -c key.ctx -o password.enc <<<$password

Create Unlock Script

Save the following as ~/Scripts/unlockKeyring.sh:

#!/bin/bash
# Load a TPM Context key, decode password and unlock the gnome keyring
tpm2_createprimary -Q -c ~/.tpm/primary.ctx
tpm2_load -Q -C ~/.tpm/primary.ctx -u ~/.tpm/key.pub -r ~/.tpm/key.priv -c ~/.tpm/key.ctx
tpm2_encryptdecrypt -Qd -c ~/.tpm/key.ctx ~/.tpm/password.enc | ~/gnome-keyring-unlock/unlock.py

Make it run on login

Add the following to the end of your ~/.profile:

# Wait 5 seconds then try to unlock the keyring
(sleep 5; ~/Scripts/unlockKeyring.sh &> ~/Scripts/unlockKeyring.log) &
@Lemon2ee
Copy link

Lemon2ee commented Jun 15, 2025

In the case of using fish as default shell, add the following to you config.fish

# Only run in login shells
if status is-login
    begin
        sleep 5
        ~/.scripts/unlock_keyring.sh &> ~/.scripts/unlock_keyring.log
    end &
end

@AntonIXO
Copy link

AntonIXO commented Sep 11, 2025

Thanks! Worked on Redmibook 15 pro on archlinux on gnome 49 with user systemd unlock unit

@dantfusie
Copy link

dantfusie commented Oct 10, 2025

Hey! This mightve worked but unfortunately with the guide I'm stuck at the read password command, as of right now its blank. Does anyone know how to fix this? I'm on Zorin OS
image

@kizzard
Copy link
Author

kizzard commented Oct 10, 2025

@dantfusie yeah it's a little confusing, at that step you need to type your password and press return. It's how it stores it. I should have made that more clear.

@dantfusie
Copy link

dantfusie commented Oct 10, 2025

So I type in my password in place of "passsword" then?

@kizzard
Copy link
Author

kizzard commented Oct 11, 2025

@dantfusie at that step, type "read password" and then return, and then when it's blank, it's waiting for your password. At that point, enter your password and press return again.

@kizzard
Copy link
Author

kizzard commented Oct 11, 2025

@dantfusie the purpose is to get your password without leaving it in your shell command line history.

@dantfusie
Copy link

dantfusie commented Oct 13, 2025

Thanks! Does this also work for other distros like Fedora or any other GNOME using distros but not Ubuntu based?

@jaystocky
Copy link

jaystocky commented Dec 3, 2025

Hi all! I've just followed the steps adjusting by @maksims-terjohins and am encountering the below error extracted from the log file. Anyone able to help?

ERROR: Error opening file "/home/jaystocky/.tpm/primary.ctx" due to error: Permission denied
ERROR: Failed saving object context.
ERROR: Unable to run tpm2_createprimary
ERROR: Incorrect handle value, got: "/home/jaystocky/.tpm/primary.ctx", expected expected [o|p|e|n|l] or a handle number
ERROR: Unable to read as BIO file
ERROR: Unable to fetch public/private portions of TSS PRIVKEY
ERROR: Cannot make sense of object context "/home/jaystocky/.tpm/primary.ctx"
ERROR: Unable to run tpm2_load
Unlock denied

@maksims-terjohins
Copy link

maksims-terjohins commented Dec 4, 2025

Hi all! I've just followed the steps adjusting by @maksims-terjohins and am encountering the below error extracted from the log file. Anyone able to help?

ERROR: Error opening file "/home/jaystocky/.tpm/primary.ctx" due to error: Permission denied
ERROR: Failed saving object context.
ERROR: Unable to run tpm2_createprimary
ERROR: Incorrect handle value, got: "/home/jaystocky/.tpm/primary.ctx", expected expected [o|p|e|n|l] or a handle number
ERROR: Unable to read as BIO file
ERROR: Unable to fetch public/private portions of TSS PRIVKEY
ERROR: Cannot make sense of object context "/home/jaystocky/.tpm/primary.ctx"
ERROR: Unable to run tpm2_load
Unlock denied

Hi!

TLDR: chmod 660 primary.ctx

Try to set access permissions for primary.ctx to 660, also written as -rw-rw----. In my case it works fine. Use chmod 660 primary.ctx when inside .tpm dir. You should result with something like -rw-rw---- 1 jaystocky jaystocky 1532 dec 4 10:39 primary.ctx when running ls -l within the .tpm directory. The key is to have -rw-rw---- in the line with the primary.ctx.
If your file already has required permissions set, make sure your directory is accessible from for the scripts running the Unlock thing.
If both file and directory has access permissions set, make sure you are running the script by authorized user. If the unlockKeyring.sh is laucnhed by user other than jaystocky , there might be issue as well.

@jaystocky
Copy link

jaystocky commented Dec 4, 2025

Thanks @maksims-terjohins i think that fixed it! The only issue I'm having now is that I'm still getting the two errors when I load into the OS asking me for the keyring password, but if I ignore them and then check passwords & keys I can see that it's unlocked!

@maksims-terjohins
Copy link

maksims-terjohins commented Dec 5, 2025

Thanks @maksims-terjohins i think that fixed it! The only issue I'm having now is that I'm still getting the two errors when I load into the OS asking me for the keyring password, but if I ignore them and then check passwords & keys I can see that it's unlocked!

It looks to me that the script runs to late in OS startup process, since you eventually get it unlocked without entering the password. You might want to play with the sleep duration in your ~/.profile. I would start with removing the sleep 5; command and see if keyring still gets unlocked. If it breaks, try adding some non-zero time, but less than 5 seconds. May be you will find the right delay that fits your concrete OS instance and unlocks the keyring yet without prompting the password.

@jaystocky
Copy link

jaystocky commented Dec 6, 2025

@maksims-terjohins given that a test, changed sleep 5 to sleep 0, sleep 1 etc and all still result in me having to dismiss three pop-ups despite the keyring being unlocked when i check afterwards! odd.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment