The keyring concept in ubuntu: what is it and how to use it?

Pages related to gnome-keyring-daemon

  • gnome-keyring-3 (1) — The gnome-keyring commandline tool
  • gnome-keyring (1) — The gnome-keyring commandline tool
  • gnome-about (1) — Learn more about GNOME
  • gnome-abrt (1) — A utility for viewing problems that have occurred with the system
  • gnome-activity-journal (1) — browse and search a chronological log of your activities
  • gnome-calculator (1) — a desktop calculator
  • gnome-color-chooser (1) — GTK+/GNOME desktop appearance customization tool
  • gnome-commander (1) — a GNOME file manager
  • gnome-contacts (1) — Access and store information about contacts
  • gnome-control-center (1) — Configure GNOME settings

Write your own keyring backend

The interface for the backend is defined by .
Every backend should derive from that base class and define a
attribute and three functions: , , and
. The function may be defined if

See the module for more detail on the interface of this class.

Keyring employs entry points to allow any third-party package to implement
backends without any modification to the keyring itself. Those interested in
creating new backends are encouraged to create new, third-party packages
in the namespace, in a manner modeled by the keyrings.alt
package. See the
in that project for a hints on how to create the requisite entry points.
Backends that prove essential may be considered for inclusion in the core
library, although the ease of installing these third-party packages should
mean that extensions may be readily available.

To create an extension for Keyring, please submit a pull request to
have your extension mentioned as an available extension.


Криптографические службы GNOME (демон и инструменты)

Библиотека GNU C: общие библиотеки

Возможности POSIX 1003.1e (утилиты)

Библиотека оболочек Glib для PKCS # 11 — среда выполнения

Библиотека для задач, связанных с криптографией

Библиотека LGPL Crypto — библиотека времени выполнения

Библиотека GLib подпрограмм C

GNOME 3 PIN или диалог ввода фразы для GnuPG

GNOME Keyring
Скриншот GNOME Keyring Manager 2.12.1.
Тип Менеджер паролей
Разработчик GNOME developers
Написана на C++
Операционная система Кроссплатформенное программное обеспечение
Первый выпуск ?
Последняя версия
Лицензия GPL

GNOME Keyring — сервис (демон) gnome-keyring-daemon, предназначенный для безопасного хранения информации — имён пользователей и паролей. Конфиденциальные данные хранятся в зашифрованном виде и пользователю достаточно вводить один мастер-пароль для получения к ним доступа.

GNOME Keyring — часть окружения рабочего стола GNOME и разрабатывается и поддерживается проектом GnomeLive.

Other Packages Related to gnome-keyring

  • dep:
    simple configuration storage system — GSettings back-end
    virtual package provided by

    dconf-gsettings-backend, gconf-gsettings-backend

  • dep:
    virtual package provided by


    virtual package provided by

    dbus-user-session, dbus-x11

  • dep:
    (>= 3.4)
    GNOME crypto services (daemon and tools)
  • dep:
    (>= 1.12.4)
    ATK accessibility toolkit
  • dep:
    (>= 2.14)
    GNU C Library: Shared libraries also a virtual package provided by


    (>= 2.16)
    (>= 2.17)
    (>= 2.27)
    (>= 2.28)
    (>= 2.32)
    (>= 2.4)
  • dep:
    (>= 2.32)
    GNU C Library: Shared libraries also a virtual package provided by


    (>= 2.4)
  • dep:
    (>= 1.10.0)
    Cairo 2D vector graphics library (GObject library)
  • dep:
    (>= 1.2.4)
    Cairo 2D vector graphics library
  • dep:
    (>= 3.3.90)
    Glib wrapper library for PKCS#11 — runtime
  • dep:
    (>= 3.28.0)
    Library for Crypto related tasks
  • dep:
    (>= 3.27.90)
    Library for Crypto UI related tasks
  • dep:
    (>= 1.9.0)
    LGPL Crypto library — runtime library
  • dep:
    (>= 2.22.0)
    GDK Pixbuf library
  • dep:
    (>= 2.43.2)
    GLib library of C routines
  • dep:
    (>= 3.0.0)
    GTK graphical user interface library
  • dep:
    (>= 0.6.0)
    OpenType text shaping engine (shared library)
  • dep:
    library for loading and coordinating access to PKCS#11 modules — runtime
  • dep:
    (>= 1.14.0)
    Layout and rendering of internationalized text
  • dep:
    (>= 1.14.0)
    Layout and rendering of internationalized text
  • dep:
    (>= 0.16)
    p11-glue utilities
  • dep:
    GNOME 3 PIN or pass-phrase entry dialog for GnuPG

Authentication Module

Gnome Keyring authentication module retrieves password obtained by previous module in PAM stack and stores it for later use. When no password was obtained this module does nothing and returns success. It will never prompt for password by itself. Unless otherwise noted, this module returns success.

The following options may be passed to authentication module:


Gnome Keyring daemon is started if not already running and login keyring unlocked using provided password. If any of this fail, this module returns error.

Comma separated list of services (eg. gdm,xdm) this module will handle. If a service is not in this list, module returns success without doing anything.

Disabling Keyring

In many cases, uninstalling keyring will never be necessary.
Especially on Windows and macOS, the behavior of keyring is
usually degenerate, meaning it will return empty values to
the caller, allowing the caller to fall back to some other

In some cases, the default behavior of keyring is undesirable and
it would be preferable to disable the keyring behavior altogether.
There are several mechanisms to disable keyring:

  • Uninstall keyring. Most applications are tolerant to keyring
    not being installed. Uninstalling keyring should cause those
    applications to fall back to the behavior without keyring.
    This approach affects that Python environment where keyring
    would otherwise have been installed.
  • Configure the Null keyring in the environment. Set

    in the environment, and the (degenerate) backend
    will be used. This approach affects all uses of Keyring where
    that variable is set.

  • Permanently configure the Null keyring for the user by running
    or .
    This approach affects all uses of keyring for that user.

Configuring Gnome Keyring’s PAM Support

This is usually installed by default by a distro or OS distributor.

To check if your distro or OS has support for this:

# grep -rq /etc/pam.* && echo «Have PAM Support»

To see if a ‘login’ keyring exists (it’s created automatically):

# test -f ~/.gnome2/keyrings/login.keyring && echo «Have ‘login’ keyring»

Beware that if you install configure this yourself, it’s possible to lock yourself out of your machine. Make sure you know what you’re doing, and how to fix any problems that arise.

These instructions are general, and may not work on your machine. You may be able to find more specific instructions on forums for your OS or distro.

First figure out where your PAM modules are located. Make note of the directory:

dirname `locate`

Build gnome-keyring with the PAM configure options. Use the PAM module directory as the argument for --with-pam-dir

# tar -zxvf gnome-keyring-2.*.tar.gz
# cd gnome-keyring-2.*
# ./configure —prefix=/usr —sysconfdir=/etc —enable-pam —with-pam-dir=/lib/security
# make
# sudo make install

In /etc/pam.d/gdm, add lines like this at the end of the ‘auth’, ‘session’ blocks. The ‘session’ line below should come towards the end of the other ‘session’ lines. This allows other modules like the pam systemd module to setup environment variables.

auth optional

session optional auto_start

In /etc/pam.d/gnome-screensaver, add a line like this to the ‘auth’ block:

auth optional

In /etc/pam.d/passwd, add a line like this to the ‘password’ block:

password optional

Advanced configuration

Distributions often integrate the configuration with their common PAM stack (with files such as /etc/pam.d/common-auth). However, some advanced usage of PAM might make it hard to use the PAM module.

Issue with sufficient

For example, let’s consider the case where /etc/pam.d/gdm looks like:

auth include common-auth

and /etc/pam.d/common-auth looks like:

auth sufficient
auth optional
auth required

The sufficient control value will make PAM return without evaluating the module if the authentication succeeds with In such a case, the substack control value can be used to make sure that the module will have access to the right secret token. substack is only supported on Linux.

Potential solution

/etc/pam.d/gdm would then be:

auth include common-auth

/etc/pam.d/common-auth would look like:

auth substack real-common-auth
auth optional

/etc/pam.d/real-common-auth would look like:

auth sufficient
auth required

4 ответа

Вы получаете это предупреждение, поскольку службы gnome, такие как gnome-keyring-daemon и gnome-settings-daemon, обычно не запускаются, когда вы вошли в сеанс Xubuntu или Xfce.

Однако быстрое исправление, которое сработало для меня, — это перейти в меню и выбрать настройки> менеджер настроек> сеанс и запуск> расширенный и включить службы Gnome (см. снимок экрана ниже). Теперь все установленные сервисы Gnome начнутся при входе в систему, и вы сможете использовать функциональные возможности gnome-keyring-daemon (хотя, возможно, потребуется дополнительная настройка, как я заметил ниже).

Важно отметить, что вам придется снова выйти и войти в систему, чтобы это вступило в силу, а затем будут запущены такие службы (если вы уже установили их с помощью приложений gnome):

Возможно, вам потребуется настроить другие вещи в сеансе Xfce / Xubuntu, в зависимости от того, как вы хотите использовать . Есть несколько ссылок на использование его с ssh в этом блоге и многие другие, но могут возникнуть проблемы с его использованием на Xubuntu.

Это слишком большая тема, чтобы дать общий ответ о плюсах и минусах gnome-keyring, но эти подсказки должны позволить вам начать интеграцию в сеанс Xubuntu.

Однако, если эти предложения не решают проблему, вы можете стать жертвой проблемы, описанной в ssh в этом блоге относительно gnome-keyring.

ответ дан
25 May
2018 в 02:26

Под оболочкой Bourne вы можете отключить gnome-keyring и избавиться от этого предупреждения, запустив:

, чтобы удалить путь ключа gnome из ваших переменных окружения. Вы также можете поместить эту команду в конец вашего файла ~ / .bashrc.

В оболочке C эквивалентная команда:

, и команда может быть установлена в конце вашего файла ~ / .cshrc.

ответ дан
25 May 2018 в 02:26

Еще один способ избавиться от этого досадного предупреждения (я получил это в XFCE):

Трюк состоит в том, чтобы добавить «LXDE;XFCE;» в строку с OnlyShowIn= (без двойных кавычек и плюс точка с запятой, не пыталась без него) к этому файлу «/etc/xdg/autostart/gnome-keyring-pkcs11.desktop», отредактировав его любым текстовым редактором, я буду использовать «nano»

1 — в терминальном типе ( как root или sudo):

2 — после редактирования убедитесь, что вы сохранили изменения

3 — перезагрузите компьютер.

ответ дан
25 May 2018 в 02:26

Оба звука отличные, но оба did’nt работают для меня

: Чтобы заставить его работать

как root, я сделал файл / usr / share / gnome / autostart / seahorse-daemon.desktop

И убедитесь, что : Чтобы он работал , включен в мой автозапуск.

Для таких ошибок:

Не удалось подключиться к шине доступности: не удалось подключиться к socket / tmp / dbus-sFJMjhBCfL: соединение отклонено

Возможно, быть больше проблемой с вашим / tmpfs, чем с seahorse-daemon или gnome-keyring

Теперь давайте посмотрим, как заменить агента seahorse! :


ответ дан
25 May 2018 в 02:26



The keyring lib has a few functions:

  • : Return the currently-loaded keyring implementation.
  • : Returns the password stored in the
    active keyring. If the password does not exist, it will return None.
  • : Return a credential object stored
    in the active keyring. This object contains at least and
    attributes for the specified service, where the returned
    may be different from the argument.
  • : Store the password in the
  • : Delete the password stored in
    keyring. If the password does not exist, it will raise an exception.

In all cases, the parameters (, , )
should be Unicode text.


The keyring lib raises following exceptions:

  • : Base Error class for all exceptions in keyring lib.
  • : Raised when the keyring cannot be initialized.
  • : Raised when password cannot be set in the keyring.
  • : Raised when the password cannot be deleted in the keyring.

Пакет gnome-keyring-2.30.3

Знакомимся с пакетом gnome-keyring

В пакете gnome-keyring находится демон, который хранит пароли и другие секретные данные пользователей.

Известно, что этот пакет собирается на платформе LFS 6.5, но он не тестировался.

Информация о пакете

  • Загрузка (HTTP):
  • Контрольная сумма MD5: 54cb1835c02a40f27fda73e58da17cc6
  • Размер загружаемого пакета: 1,5 MB
  • Оценочный размер требуемого дискового пространства: 52 MB
  • Оценочное время сборки: 0,6 SBU

Linux-PAM-1.1.5 и

Замечания для пользователей:

Установка пакета gnome-keyring

Инструкции, приведенные ниже, предназначены для установки пакета в среде GNOME-2. Если, по какой причине, вы устанавливаете этот пакет без установки пакета ORBit2 и базовых библиотек GNOME-2, вам необходимо изменить параметр в скрипте configure с тем, чтобы он указывал желаемый путь установки (например, ).

Установите пакет gnome-keyring с помощью следующих команд:

./configure --prefix=$(pkg-config --variable=prefix ORBit-2.0) \
            --libexecdir=$(pkg-config \
            --variable=prefix ORBit-2.0)/lib/gnome-keyring \
                --sysconfdir=/etc/gnome/2.30.2 \
            --with-pam-dir=/lib/security \
            --with-dbus-services=/usr/share/dbus-1/services \
            --with-root-certs=/etc/ssl/certs &&

В этом пакете набор тестов отсутствует.

Теперь в роли пользователя выполните:

make install

Пояснение команд

: Установка префикса с помощью этого параметра, а не с помощью будет гарантировать, что префикс будет установлен в соответствие со средой окружения и пакет будет установлен в нужном месте.

: Этот параметр указывает, что файлы libexec будут установлены в более правильный директорий , а не в директорий .

: Этот параметр указывает, где модули pam будут хранить информацию.

: Этот параметр указывает, где будет размещен директорий сессионных сервисов D-BUS.

: Этот параметр указывает, где размещаются надежные корневые сертификаты.

: Используйте этот параметр, если вы хотите отключить обновление базы данных scrollkeeper.

Описание пакета

Установленные программы: gnome-keyring, gnome-keyring-daemon и gnome-keyring-prompt

Установленные библиотеки:,,,,,, и

Установленные директории: /{include/{gcr,gp11}, lib/gnome-keyring/{devel,standalone},share/{gcr/ui, gnome-keyring/{introspect,ui},gtk-doc/html/{gcr,gp11}}}

Краткое описание


сессионный демон, в котором хранятся пароли пользователей

Перевод сделан с варианта оригинала, датированного 2010-08-19 09:56:51 +0000

Предыдущий раздел: Оглавление Следующий раздел:
Пакет libgnome-keyring-2.30.1   Пакет GTK Engines-2.20.1

KeePassXC MFA TOTP generator

One more interesting thing — TOTP codes generator in the KeePassXC.

Still, there is a serious question: is it a good solution to enable it?

The main idea behind the MFA authentication is exactly to use two separate services to authenticate you, i.e. login:password from the one side, and a TOTP-code from your MFA on another.

Is it worth to keep them together in the same KeePass database — absolutely about you, but keep in mind that if somebody will get access to your KeePass — then you’ll have no chance for the MFA as the last hope to keep your data secure.

Still, such an option is present, I’m using MFA, so let’s take a look at how to configure it.

During an MFA configuration — chose something like “Show secret key” or “Can’t scan QR”, depending on a service, to see a text code instead of QR code.

Here is an example from the AWS Console:

Save the code, then in your KeePassXC find or update an entry you’d like to configure MFA for, right-click on it — TOTP > Set up TOTP:

And set the Secret Key from AWS:

Save, right-click again — Show TOTP:

And finish MFA configuration in AWS:

Try to log in, but… The button to fill up the TOTP field doesn’t works :-(

And it didn’t work in Chromium for Gmail too.

Well — the code in the KeePass is generated, so just manually copy it by right click or by using Ctrl+T — and we are done here.

SSH keys

gnome-keyring-daemon with the ssh component will start an SSH agent and automatically load all the keys in that have corresponding .pub files. There is no way to remove these keys from the agent.

To list all loaded keys:

$ ssh-add -L

When you connect to a server that uses a loaded key with a password, a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you log in. If you check this, you will not need to enter your passphrase again!

To permanently save the a passphrase in the keyring, use ssh-askpass from the package:

$ /usr/lib/seahorse/ssh-askpass my_key

To manually add an SSH key from another directory:

$ ssh-add ~/.private/id_rsa
Enter passphrase for ~/.private/id_rsa:

Note: You have to have the corresponding .pub file in the same directory as the private key ( in the example). Also, make sure that the public key is the file name of the private key plus .pub (for example, ).

To disable all manually added keys:

$ ssh-add -D

Disable keyring daemon components

If you wish to run an alternative SSH agent (e.g. or ), you need to disable the component of GNOME Keyring. To do so in an account-local way, copy to and then append the line to the copied file. Then log out.

Note: In case you use GNOME 3.24 or older on Wayland, gnome-shell will overwrite to point to gnome-keyring regardless if it is running or not. To prevent this, you need to set the environment variable GSM_SKIP_SSH_AGENT_WORKAROUND before gnome-shell is started. One way to do this is to add the following line to :


Disable keyring password

In cases where you want to use automatic login but don’t want to unlockk keyring manually, you may choose to disable the keyring with a workaround. Keep in mind that you are disabling a security feature so think twice before doing so.

The process is similar to changing keyring password. Open Password and Keys application and go on to change the keyring password.

The trick is that when it asks to change the password, don’t enter a new password and hit Continue instead. This will remove any password from the keyring.

Disable Keyring password by not setting any password at all

This way, the keyring will have no password and it remains unlocked all the time.

KeePass and Secret Service integration

For a better understanding of keyrings in general and the Secret Service in particular cases — I’d strongly recommend you first to read the What is: Linux keyring, gnome-keyring, Secret Service, and D-Bus post.

At a first, let’s make sure we have no Secret Service available in our system — check the D-Bus:

$ qdbus — session org.freedesktop.DBus / org.freedesktop.DBus.GetConnectionUnixProcessID org.freedesktop.secretsError: org.freedesktop.DBus.Error.NameHasNoOwnerCould not get PID of name ‘org.freedesktop.secrets’: no such name

Okay, it’s empty.

Go to the KeePass, Tools > Settings, choose the Secret Service Integration, enable it:

Now, go to the KeePass database’s settings, and in its Secret Service Integration settings specify a collection (team, folder) which will be used to store our secrets:

Also, it’s a good idea now to start KeePass beforehand every other application in the system.

In my case, this can be done with the file:

xrandr --output HDMI-1 --primaryxrandr --output eDP-1 --right-of DP-1feh --bg-scale /home/setevoy/Pictures/Wallpaper/seryy-kapli-strela-ten-arch.jpg &tint2 -c /home/setevoy/.config/tint2/setevoy-tint2-90-pecent-bottom-wrk.tint2rc &polybar -c /home/setevoy/.config/polybar/setevoy-polybar-wrk-bars.conf bottom &polybar -c /home/setevoy/.config/polybar/setevoy-polybar-wrk-bars.conf top &sleep 5keepassxc &dropbox &lxqt-notificationd &xscreensaver &qxkb &skypeforlinux &sleep 5slack &...

Run a browser:

$ chromium — password-store=gnome

And in the KeePass’ Tools > Settings check services which are using Secret Service now:

A notification from the KeePass when Chromium tries to access its password to decrypt some passwords in its SQLite database:

But here is another issue: when I’m starting Chromium via — it’s started with the instead of the , although it has to check if a Secret Service is available and run «gnome» instead of the «basic» storage.

To salve it — read the and create a file:


Restart the browser, go to the chrome://version/, and check options:

Okay, it worked for the Chromium — but Brave still uses the “basic” option.

For the Brave browser in Arch Linux, you can create a file, as mentioned in comment, so we can just to copy the existing one:

$ cp .config/chromium-flags.conf .config/brave-flags.conf

Restart Brave, check its options:

And in the Secret Service of the KeePass, the brave record appeared, so it’s using the Secret Service now:


Chromium && Secret Service

Now, enable Secret Storage support in the KeePass (see the ) to emulate an installed and restart KeePass.

Add a new directory for the Chromium’s data:

$ mkdir /tmp/data-chrome-test-2/

Run Chromium with the data-chrome-test-2 data-directory and specify the option:

$ chromium — user-data-dir=/tmp/data-chrome-test-2/ — password-store=gnome

Log in somewhere, save password again, and now we can observe that Chromium created two new records in the KeePass database:

  1. Chrome Safe Storage Control
  2. Chromium Safe Storage

Check their attributes for more information about each:

Also, you can check the D-Bus and Secret Service to see which collection is used now:

$ secret-tool search Title ‘Chromium Safe Storage’[/org/freedesktop/secrets/collection/Main/f0fdc4706ef44958b716e28c13d66bed]label = Chromium Safe Storagesecret = P5pUwxbWaIBBVU0+LATOcw==…schema = chrome_libsecret_os_crypt_password_v2…attribute.Title = Chromium Safe Storage…attribute.application = chromium…attribute.Path = /Chromium Safe Storage

Now, let’s try to use the password from the secret attribute from the Chromium Safe Storage entry as the variable’s value in our script.

Exit from the Chromium to unlock the database, otherwise, you’ll see the following error:

$ ./get_chrome_pass.pyTraceback (most recent call last):File “./”, line 50, in <module>for url, user, encrypted_password in get_encrypted_data(db_path):File “./”, line 15, in get_encrypted_datadata = cursor.execute(‘SELECT action_url, username_value, password_value FROM logins’)sqlite3.OperationalError: database is locked

Update the script — a database’s path:

...if __name__ == "__main__":#   db_path = '/tmp/data-chrome-test-1/Default/Login Data'    db_path = '/tmp/data-chrome-test-2/Default/Login Data'    for url, user, encrypted_password in get_encrypted_data(db_path):        get_decrypted_data(encrypted_password)

And the password — instead of the “peanuts” in the set the value taken from the KeePass’s Chromium Safe Storage entry:

...#    pb_pass = "peanuts".encode('utf8')                                                                                                                                                                                                           pb_pass = "P5pUwxbWaIBBVU0+LATOcw==".encode('utf8')...

Try it:

$ ./get_chrome_pass.pyDecrypting the string: b’v11\xfc\x82\xf7H\[email protected]\x86\xb7\x982\xa8\x1fjA\xfd’test911911

Cool! We got our decrypted password.

sign_and_send_pubkey: signing failed: agent refused operation

A short side-note: if you’ll enable the “Require user confirmation when this key is used” option now:

Then during SSH logging in process, sometimes you can see the “sign_and_send_pubkey: signing failed: agent refused operation” error:

$ ssh rtfmsign_and_send_pubkey: signing failed: agent refused operationLoad key “/home/setevoy/.ssh/id_rsa”: Is a [email protected]’s password:

It happens because trying to ask a user for confirmation and uses the utility which can be not installed in a system:

$ file /usr/lib/ssh/ssh-askpass/usr/lib/ssh/ssh-askpass: cannot open `/usr/lib/ssh/ssh-askpass’ (No such file or directory)

Install the package:

$ sudo pacman -S x11-ssh-askpass

Re-try log in — and now you must see such a window with confirmation request:

Click on the ОК — and now all works.

( Пока оценок нет )
Понравилась статья? Поделиться с друзьями:
Мой редактор ОС
Добавить комментарий

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: