Unlock Gnome Keyring Daemon from command line
Solution 1
This is a very brutal, dirty, and probably very wrong way to do this, but after struggling with unlocking my keyring over SSH for a while, I came up with this little script:
echo 'NOTE: This script will only work if launched via source or .' >&2
echo -n 'Login password: ' >&2
read -s _UNLOCK_PASSWORD || return
killall -q -u "$(whoami)" gnome-keyring-daemon
eval $(echo -n "${_UNLOCK_PASSWORD}" \
| gnome-keyring-daemon --daemonize --login \
| sed -e 's/^/export /')
unset _UNLOCK_PASSWORD
echo '' >&2
And yes, when I call . ~/bin/unlock-gnome-keyring
and enter my login password, it unlocks my login keyring, I can view it in seahorse
running through remote X and use it via libsecret applications.
Please be warned though, I'm not a security expert and there might be serious security implications to doing it this way. I did not check whether the password is properly cleaned in memory etc., which might render you more exposed to attacks.
Solution 2
There is (now) an --unlock
argument to gnome-keyring-daemon which does exactly what you want. Normally, when it's invoked, it will unlock then demonize and echo the SSH_AUTH_SOCK
. If you think there might already be an existing daemon running, then you can add the --replace
argument to ensure a seamless transition to the new daemon.
I log in to a headless Ubuntu 20.0.4LTS system via ssh with a public key (no password) on a regular basis, but sometimes for development purposes I need the keyring to be available. So I have the following function defined in my bash profile, and it works great to do the unlock (whether there is an existing daemon running or not):
# Linux unlock gnome keyring
function unlock-keyring ()
{
read -rsp "Password: " pass
export $(echo -n "$pass" | gnome-keyring-daemon --replace --unlock)
unset pass
}
react-newbie
Updated on September 18, 2022Comments
-
react-newbie almost 2 years
I am trying to unlock the Gnome Keyring Daemon from the command line, by directly passing it a password. I tried a few variations of --daemonize, --login, --start, but I can't get it to work.
echo $password | gnome-keyring-daemon --unlock
returnsSSH_AUTH_SOCK=/run/user/1000/keyring/ssh
but doesn't unlock anything.Basically I want something along the lines of:
gnome-keyring-daemon unlock --pw $password
Not sure if it makes any difference, but I'm on Manjaro i3wm version, so not using a desktop environment.
Background:
I'm using KeePassXC to manage my keyring. The one downside to this is, that I can't automatically unlock the keyring on login. Since I don't want to enter two long passwords I came up with the following script as a workaround:
- Logging in automatically unlocks Gnome Keyring Daemon
- Gnome Keyring Daemon contains (a part of) the PW to KeePassXC as the only entry
- enter the last characters of the pw in a prompt
- kill Gnome Keyring Daemon
- use the combined pw to unlock KeePassXC
Now I want to do the opposite to lock KeePassXC again:
- Get PW to Gnome Keyring Daemon from KeePassXC
- Kill KeePassXC
- Unlock GnomeKeyringDaemon <- this is the part I can't get to work
-
Martin Wilck over 2 yearsYou need to use
echo -n
as in kFYatek's answer below.
-
react-newbie almost 4 yearsThank you that solved it for me! I had two errors in my code, first I forgot the
-n
flag afterecho
and I used--unlock
instead of--daemonize --login
(which I tried before, but due to the missing -n flag it didn't work.) Here is my final script, that quits KeePassXC and unlocks the gnome-keyring:pass=$(secret-tool lookup GnomeKeyring Password) pkill keepassxc echo -n $pass | gnome-keyring-daemon --daemonize --login unset pass
-
ChennyStar about 3 yearsJust in case someone wants to try this, be extremely careful and make a backup of your keyrings before. I lost access to my login.keyring trying to follow these examples (see unix.stackexchange.com/questions/652215/…)
-
niken over 2 yearsOn arch linux this does not work for some reason. Command executes , status code returns , even tells you in some nicely formatted (and colorful) text that it's doing stuff. But when I try to run another process that depends on keyring being unlocked (like say a vpn client) it coughs up this:
keyrings.errors.KeyringLocked
and of course "Failed to unlock the collection!" -
brotskydotcom over 2 years@niken I haven't tried this on an arch linux box, so it might not work there. But another thing to note is that, if you type your password wrong, the
--unlock
output gives no indication of that being the case. So you might want to try again and type carefully :). -
niken over 2 yearsI pipe password via echo -n "mypassword" just like you , trying to get it to run on 1st login before starting x desktop so i can use it form cml, but cannot figure out why it wont unlock default 'login' keyring , it should by all logic , it acts like it does, but it just doesn't and not too much about it in the output, just failure by vpn client... Everything works perfectly fine once desktop loads. I can live without it , but it's really annoying cannot figure out why