Use GnuPG to unlock gnome-keyring, which is supported by yubikey and other smartcard.
If you're logging into Linux with yubikey pam_u2f.so
, gnome will ask you to unlock login
keyring with your login password.
But why are you using yubikey for login? Because I don't want to type the FUCKING LONG PASSWORD.
Currently the only solution is to set the password of login
keyring to empty. But it's not secure. (If your harddisk got fucked one day, the hacker can get ALL your password saved by chromium, get everything in your keyring.)
I encrypt the keyring-name : password
pair with GnuPG and save it as secret-file
. Then on starting gnome, you have yubikey inserted. Then an auto-started script call GnuPG to decrypt the secret file, and pipe use the password to unlock your keyring. GnuPG will ask you to insert yubikey.
The project uses libgnome-keyring-dev
libgnome-keyring-dev is not in the repositories, you have to install it and its dependencies manually:
wget http://archive.ubuntu.com/ubuntu/pool/main/g/glibc/multiarch-support_2.27-3ubuntu1_amd64.deb
wget http://security.ubuntu.com/ubuntu/pool/universe/libg/libgnome-keyring/libgnome-keyring-common_3.12.0-1build1_all.deb
wget http://security.ubuntu.com/ubuntu/pool/universe/libg/libgnome-keyring/libgnome-keyring0_3.12.0-1build1_amd64.deb
wget http://security.ubuntu.com/ubuntu/pool/universe/libg/libgnome-keyring/gir1.2-gnomekeyring-1.0_3.12.0-1build1_amd64.deb
wget http://security.ubuntu.com/ubuntu/pool/universe/libg/libgnome-keyring/libgnome-keyring-dev_3.12.0-1build1_amd64.deb
sudo dpkg -i multiarch-support_2.27-3ubuntu1_amd64.deb
sudo dpkg-reconfigure multiarch-support
sudo dpkg -i libgnome-keyring-common_3.12.0-1build1_all.deb libgnome-keyring0_3.12.0-1build1_amd64.deb gir1.2-gnomekeyring-1.0_3.12.0-1build1_amd64.deb libgnome-keyring-dev_3.12.0-1build1_amd64.deb
sudo pacman -S libgnome-keyring
I recommend you to configure Yubikey as GPG smartcard. The system would just ask you to unlock gnome-keyring with your default GPG software. You may generate a new GPG key for yubikey, or move your existing GPG key into yubikey. Refer to google for these knowledge.
First, build the project from source. Note the --recursive
flag, that one's important
git clone https://github.com/recolic/gnome-keyring-yubikey-unlock --recursive
cd gnome-keyring-yubikey-unlock/src && make && cd ..
Then, create your secret file.
gnome-keyring-yubikey-unlock/create_secret_file.sh /path/to/your_secret [Your GnuPG public key]
# input your keyring:password
As an example, I need to input login:My_Very_Long_Login_Password
. (You may use seahorse
or tools/list_keyrings.sh
to determine the name of your keyring)
Then, add the following command to gnome-autostart. If you don't know how to do it, read me!
/path/to/this/project/unlock_keyrings.sh /path/to/your_secret
Optionally, if you don't want to enter your GPG smartcard pin every time you log in, add it as parameter to the command. If your pin is e.g. 123456:
/path/to/this/project/unlock_keyrings.sh /path/to/your_secret 123456
This obviously weakens the security of the private key, so obviously only do this if you're comfortable with having your pin stored on your disk in plain text.
You're all set! Re-login and have a try!
- Keyring not exist?
run tools/list_keyrings.sh
to check name of your keyrings. The login
keyring may be shown as 登录
based on your locale.
- Working on keyring
Login
: GNOME_KEYRING_RESULT_BAD_ARGUMENTS.
Seahorse sometimes show an incorrect name for "Login" keyring. It's real name is login
instead of Login
. You may confirm this by running tools/list_keyrings.sh
.
- It's simply not working. How do I debug this program?
echo 'login:my_password' | bin/unlock_keyrings --secret-file -
This program is using deprecated libgnome-keyring-1
instead of libsecret
, because the author could not understand how to use libsecret
. There's almost no document about how to use secret_service_unlock_sync()
.