Unlock Gnome Keyring Daemon from command line

shell-script shell gnome-keyring keepassx

8,774

Solution 1

This is a very brutal, dirty, and probably very wrong way to do this, but after struggling with unlocking my keyring over SSH for a while, I came up with this little script:

echo 'NOTE: This script will only work if launched via source or .' >&2
echo -n 'Login password: ' >&2
read -s _UNLOCK_PASSWORD || return
killall -q -u "$(whoami)" gnome-keyring-daemon
eval $(echo -n "${_UNLOCK_PASSWORD}" \
           | gnome-keyring-daemon --daemonize --login \
           | sed -e 's/^/export /')
unset _UNLOCK_PASSWORD
echo '' >&2

And yes, when I call . ~/bin/unlock-gnome-keyring and enter my login password, it unlocks my login keyring, I can view it in seahorse running through remote X and use it via libsecret applications.

Please be warned though, I'm not a security expert and there might be serious security implications to doing it this way. I did not check whether the password is properly cleaned in memory etc., which might render you more exposed to attacks.

Solution 2

There is (now) an --unlock argument to gnome-keyring-daemon which does exactly what you want. Normally, when it's invoked, it will unlock then demonize and echo the SSH_AUTH_SOCK. If you think there might already be an existing daemon running, then you can add the --replace argument to ensure a seamless transition to the new daemon.

I log in to a headless Ubuntu 20.0.4LTS system via ssh with a public key (no password) on a regular basis, but sometimes for development purposes I need the keyring to be available. So I have the following function defined in my bash profile, and it works great to do the unlock (whether there is an existing daemon running or not):

# Linux unlock gnome keyring
function unlock-keyring ()
{
    read -rsp "Password: " pass
    export $(echo -n "$pass" | gnome-keyring-daemon --replace --unlock)
    unset pass
}

8,774

Author by

react-newbie

Updated on September 18, 2022

Comments

react-newbie almost 2 years
I am trying to unlock the Gnome Keyring Daemon from the command line, by directly passing it a password. I tried a few variations of --daemonize, --login, --start, but I can't get it to work.

echo $password | gnome-keyring-daemon --unlock returns SSH_AUTH_SOCK=/run/user/1000/keyring/ssh but doesn't unlock anything.

Basically I want something along the lines of:

gnome-keyring-daemon unlock --pw $password

Not sure if it makes any difference, but I'm on Manjaro i3wm version, so not using a desktop environment.

Background:

I'm using KeePassXC to manage my keyring. The one downside to this is, that I can't automatically unlock the keyring on login. Since I don't want to enter two long passwords I came up with the following script as a workaround:
- Logging in automatically unlocks Gnome Keyring Daemon
- Gnome Keyring Daemon contains (a part of) the PW to KeePassXC as the only entry
- enter the last characters of the pw in a prompt
- kill Gnome Keyring Daemon
- use the combined pw to unlock KeePassXC
Now I want to do the opposite to lock KeePassXC again:
- Get PW to Gnome Keyring Daemon from KeePassXC
- Kill KeePassXC
- Unlock GnomeKeyringDaemon <- this is the part I can't get to work
- Martin Wilck over 2 years
  
  You need to use echo -n as in kFYatek's answer below.
react-newbie almost 4 years

Thank you that solved it for me! I had two errors in my code, first I forgot the -n flag after echo and I used --unlock instead of --daemonize --login (which I tried before, but due to the missing -n flag it didn't work.) Here is my final script, that quits KeePassXC and unlocks the gnome-keyring: pass=$(secret-tool lookup GnomeKeyring Password) pkill keepassxc echo -n $pass | gnome-keyring-daemon --daemonize --login unset pass
ChennyStar about 3 years

Just in case someone wants to try this, be extremely careful and make a backup of your keyrings before. I lost access to my login.keyring trying to follow these examples (see unix.stackexchange.com/questions/652215/…)
niken over 2 years

On arch linux this does not work for some reason. Command executes , status code returns , even tells you in some nicely formatted (and colorful) text that it's doing stuff. But when I try to run another process that depends on keyring being unlocked (like say a vpn client) it coughs up this: keyrings.errors.KeyringLocked and of course "Failed to unlock the collection!"
brotskydotcom over 2 years

@niken I haven't tried this on an arch linux box, so it might not work there. But another thing to note is that, if you type your password wrong, the --unlock output gives no indication of that being the case. So you might want to try again and type carefully :).
niken over 2 years

I pipe password via echo -n "mypassword" just like you , trying to get it to run on 1st login before starting x desktop so i can use it form cml, but cannot figure out why it wont unlock default 'login' keyring , it should by all logic , it acts like it does, but it just doesn't and not too much about it in the output, just failure by vpn client... Everything works perfectly fine once desktop loads. I can live without it , but it's really annoying cannot figure out why