How to replace Gnome keyring with KeepassXC as secret service?

I can’t set KeepassXC as my secret service because gnome-keyring-daemon is running:

image2252×1918 256 KB

I can’t find a service with keyring in its name:

$ systemctl list-units --type=service | grep keyring                                                              0|1 ✘ 
$ sudo systemctl list-units --type=service | grep keyring                                                         0|1 ✘

Not even a systemd unit file containing the process name gnome-keyring-daemon:

$ sudo grep -r "gnome-keyring-daemon" /etc/systemd/system /lib/systemd/system /run/systemd/system /etc/systemd/user        1 ✘ 

Looking through all the autostart locations I found a few mentions of that process:

find ~/.config/autostart /etc/xdg/autostart /usr/share/autostart -type f -name '*.desktop' -exec grep -H 'gnome-keyring-daemon' {} \;
/etc/xdg/autostart/gnome-keyring-pkcs11.desktop:Exec=/usr/bin/gnome-keyring-daemon --start --components=pkcs11
/etc/xdg/autostart/gnome-keyring-secrets.desktop:Exec=/usr/bin/gnome-keyring-daemon --start --components=secrets
/etc/xdg/autostart/gnome-keyring-ssh.desktop:Exec=/usr/bin/gnome-keyring-daemon --start --components=ssh

But can I safely remove those? What would be the right way to replace the Gnome keyring with KeepassXC?

Hi @0x0,

I believe this might help:

…and/or:

…and/or:

https://c3pb.de/blog/keepassxc-secrets-service.html

…and/or:

…ad infinitum.

The instructions to disable Gnome Keyring are not working. As soon as I reboot, it’s using Gnome Keyring again.

Try masking the Gnome keyring service?

Edit:

Or you could try removing it:

pamac remove gnome-keyring

Restoring it if wanted:

pamac install gnome-keyring

As I said, I could not find such a service. I don’t think Gnome keyring is a systemd service.

There are too many packages depending on gnome-keyring to remove it like deja-dup, geary, seahorse, xdg-desktop-portal-gnome.

Seeing as I use Plasma, thank goodness, I wouldn’t know then…

Sorry.

I am on XFCE and i have

/etc/xdg/autostart/gnome-keyring-pkcs11.desktop
/etc/xdg/autostart/gnome-keyring-secrets.desktop
/etc/xdg/autostart/gnome-keyring-ssh.desktop

and

/usr/lib/systemd/user/gnome-keyring-daemon.service

Non of which is active, and yet is see the process gnome-keyring-daemon as running? So i guess something else is starting it.

After checking the process hierarchy and seeing that gnome-keyring-daemon is in fact started by systemd, I spent more time searching through systemd and after a while I wound something, so I must correct myself. While there is no regular systemd service that starts gnome-keyring-daemon, there is a user service that does it. I managed to disable it using the --user flag:

systemctl --user mask gnome-keyring-daemon

But after rebooting there still is a gnome-keyring-daemon process running. Checking the process hierarchy again, I can see that it is literally being started by init as in the root parent process of everything. There are 4 instances all started like this:

/usr/bin/gnome-keyring-daemon --daemonize --login

/etc/xdg/autostart/gnome-keyring-*.desktop can be ruled out because those files would start it with different flags:

find ~/.config/autostart /etc/xdg/autostart /usr/share/autostart -type f -name '*.desktop' -exec grep -H 'gnome-keyring-daemon' {} \;
/etc/xdg/autostart/gnome-keyring-pkcs11.desktop:Exec=/usr/bin/gnome-keyring-daemon --start --components=pkcs11
/etc/xdg/autostart/gnome-keyring-secrets.desktop:Exec=/usr/bin/gnome-keyring-daemon --start --components=secrets
/etc/xdg/autostart/gnome-keyring-ssh.desktop:Exec=/usr/bin/gnome-keyring-daemon --start --components=ssh

You can use systemctl status to check which service, slice and/or scope the processes are associated with. Do not use grep, you can search in the pager like in less.

Okay, but what is this telling me?

    State: running
    Units: 395 loaded (incl. loaded aliases)
     Jobs: 0 queued
   Failed: 0 units
    Since: Fri 2023-08-25 16:39:56 CEST; 1h 3min ago
  systemd: 253.8-1-manjaro
   CGroup: /
           ├─init.scope
           │ └─1 /sbin/init splash
           ├─system.slice
           │ ├─...
           │ ...
           └─user.slice
             └─user-1000.slice
               ├─session-1.scope
               │ ├─ 755 "gdm-session-worker [pam/gdm-autologin]"
               │ ├─ 774 /usr/bin/gnome-keyring-daemon --daemonize --login
               │ ├─ 779 /usr/lib/gdm-wayland-session /usr/bin/gnome-session
               │ ├─ 784 /usr/lib/gnome-session-binary
               │ └─1858 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh
               ...

I think it’s being started by GDM via PAM. Try cat /etc/pam.d/gdm (I assume that’s the correct file, I don’t use GNOME).

See GNOME/Keyring - ArchWiki

That file does not exist on my system. There are however some files starting with gdm- in that directory:

/etc/pam.d/gdm-autologin:

#%PAM-1.0

auth       required                    pam_shells.so
auth       requisite                   pam_nologin.so
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       [success=ok default=1]      pam_gdm.so
auth       optional                    pam_gnome_keyring.so

account    include                     system-local-login

password   required                    pam_deny.so

session    include                     system-local-login
session    optional                    pam_gnome_keyring.so auto_start

/etc/pam.d/gdm-fingerprint:

#%PAM-1.0

auth       required                    pam_shells.so
auth       requisite                   pam_nologin.so
auth       requisite                   pam_faillock.so      preauth
auth       required                    pam_fprintd.so
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       [success=ok default=1]      pam_gdm.so
auth       optional                    pam_gnome_keyring.so

account    include                     system-local-login

password   required                    pam_deny.so

session    include                     system-local-login
session    optional                    pam_gnome_keyring.so auto_start

/etc/pam.d/gdm-launch-environment:

#%PAM-1.0

auth       required                    pam_succeed_if.so    audit quiet_success user in gdm:gnome-initial-setup
auth       optional                    pam_permit.so
auth       required                    pam_env.so

account    required                    pam_succeed_if.so    audit quiet_success user in gdm:gnome-initial-setup
account    optional                    pam_permit.so

password   required                    pam_deny.so

session    optional                    pam_loginuid.so
session    optional                    pam_keyinit.so       force revoke
session    required                    pam_succeed_if.so    audit quiet_success user in gdm:gnome-initial-setup
session    optional                    pam_permit.so
-session   optional                    pam_systemd.so
session    required                    pam_env.so

/etc/pam.d/gdm-password:

#%PAM-1.0

auth       include                     system-local-login
auth       optional                    pam_gnome_keyring.so

account    include                     system-local-login

password   include                     system-local-login
password   optional                    pam_gnome_keyring.so use_authtok

session    include                     system-local-login
session    optional                    pam_gnome_keyring.so auto_start

/etc/pam.d/gdm-smartcard:

#%PAM-1.0

auth       requisite                   pam_nologin.so
auth       requisite                   pam_faillock.so      preauth
auth       required                    pam_pkcs11.so        wait_for_card card_only
auth       required                    pam_shells.so
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       [success=ok default=1]      pam_gdm.so
auth       optional                    pam_gnome_keyring.so

account    include                     system-local-login

password   required                    pam_deny.so

session    include                     system-local-login
session    optional                    pam_gnome_keyring.so auto_start

Yes it looks like GDM. Remove or comment out all lines that includes pam_gnome_keyring.so . You might want to check all files in that folder for pam_gnome_keyring.so . Just a warning, PAM is kind of important. Make sure you know how to login if GDM stopped working.

Could I still log in from tty in case GDM stops working?

If you only edit PAM files used by GDM, yes. Also it is just a precaution.

Okay, if I can’t even get access from tty in case of GDM going bad, I don’t know how I could log in.
Can I maybe create a new snapshot in Timeshift before making the changes and then revert to that snapshot from outside the OS in case GDM goes bad?

Of course, also I just wanted to warn you since PAM is important, but all PAM lines with pam_gnome_keyring.so are optional, so if you just commented these lines out, there is no problem.

I was not able to boot anymore after making these changes. I had to manually restore the files from a live USB stick. I was not able to restore my timeshift snapshot because Manjaro apparently just instantly boots without a grub menu to restore a timeshift snapshot.

GDM and also PAM has nothing to do with the boot process. A boot problem has nothing to do the changing files in /etc/pam.d/. So what do you mean by not “able to boot anymore”.

You need to hint ESC with the normal Grub configuration to see the menu.

I don’t know when exactly it happened because Manjaro seems to use the quiet kernel parameter. But I didn’t get beyond the boot splash logo. However you may define “booting”, it happened before the login screen even showed up. It just froze with the vendor boot logo.

I tried that but it threw me into rescue mode so that I wasn’t even able to type my LUKS password.