Gnome Keyring deletes/forgets passwords and keyrings after updates and reboots

After a fresh install of Fedora 39 (Design Suite) on a brand new desktop computer, Gnome Keyring is broken. I’ll try and summarize the issues:

  • All keyrings will be gone after an update via Gnome Software
  • Keyrings will also disappear after some reboots (seems to be random)
  • Sometimes, it will remember a local network drive password, but forget an app’s password, ie: Proton VPN and Bridge
  • Apps will require a new default keyring be created, even though one already exists
  • Deleting a keyring via Passwords and Keys (aka Seahorse) doesn’t delete the files from ~/.local/share/keyrings
  • In Passwords and Keys, setting a keyring as default doesn’t appear to work

I don’t know much about journalctl, but this seems relevant:

Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dpkcs11-2317.scope: Failed to add PIDs to scope's control group: No such process
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dpkcs11-2317.scope: Failed with result 'resources'.
Dec 27 11:32:42 rysen-box systemd[2209]: Failed to start app-gnome-gnome\x2dkeyring\x2dpkcs11-2317.scope - Application launched by gnome-session-binary.

A larger log excerpt from yesterday:

Dec 27 11:32:42 rysen-box gnome-keyring-daemon[2318]: discover_other_daemon: 1
Dec 27 11:32:42 rysen-box gnome-keyring-pkcs11.desktop[2318]: discover_other_daemon: 1
Dec 27 11:32:42 rysen-box gnome-keyring-daemon[2327]: discover_other_daemon: 1
Dec 27 11:32:42 rysen-box gnome-keyring-secrets.desktop[2327]: discover_other_daemon: 1
Dec 27 11:32:42 rysen-box gnome-keyring-daemon[2331]: discover_other_daemon: 1
Dec 27 11:32:42 rysen-box gnome-keyring-ssh.desktop[2331]: discover_other_daemon: 1SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dpkcs11-2317.scope: Couldn't move process 2317 to requested cgroup '/user.slice/user-1000.slice/user@1000.service/app.slice/app-gnome-gnome\x2dkeyring\x2dpkcs11>
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dpkcs11-2317.scope: Failed to add PIDs to scope's control group: No such process
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dpkcs11-2317.scope: Failed with result 'resources'.
Dec 27 11:32:42 rysen-box systemd[2209]: Failed to start app-gnome-gnome\x2dkeyring\x2dpkcs11-2317.scope - Application launched by gnome-session-binary.
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dsecrets-2321.scope: Couldn't move process 2321 to requested cgroup '/user.slice/user-1000.slice/user@1000.service/app.slice/app-gnome-gnome\x2dkeyring\x2dsecre>
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dsecrets-2321.scope: Failed to add PIDs to scope's control group: No such process
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dsecrets-2321.scope: Failed with result 'resources'.
Dec 27 11:32:42 rysen-box systemd[2209]: Failed to start app-gnome-gnome\x2dkeyring\x2dsecrets-2321.scope - Application launched by gnome-session-binary.
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dssh-2323.scope: Couldn't move process 2323 to requested cgroup '/user.slice/user-1000.slice/user@1000.serviceDec 27 11:32:42 rysen-box gnome-keyring-daemon[2318]: discover_other_daemon: 1
Dec 27 11:32:42 rysen-box gnome-keyring-pkcs11.desktop[2318]: discover_other_daemon: 1
Dec 27 11:32:42 rysen-box gnome-keyring-daemon[2327]: discover_other_daemon: 1
Dec 27 11:32:42 rysen-box gnome-keyring-secrets.desktop[2327]: discover_other_daemon: 1
Dec 27 11:32:42 rysen-box gnome-keyring-daemon[2331]: discover_other_daemon: 1
Dec 27 11:32:42 rysen-box gnome-keyring-ssh.desktop[2331]: discover_other_daemon: 1SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dpkcs11-2317.scope: Couldn't move process 2317 to requested cgroup '/user.slice/user-1000.slice/user@1000.service/app.slice/app-gnome-gnome\x2dkeyring\x2dpkcs11>
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dpkcs11-2317.scope: Failed to add PIDs to scope's control group: No such process
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dpkcs11-2317.scope: Failed with result 'resources'.
Dec 27 11:32:42 rysen-box systemd[2209]: Failed to start app-gnome-gnome\x2dkeyring\x2dpkcs11-2317.scope - Application launched by gnome-session-binary.
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dsecrets-2321.scope: Couldn't move process 2321 to requested cgroup '/user.slice/user-1000.slice/user@1000.service/app.slice/app-gnome-gnome\x2dkeyring\x2dsecre>
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dsecrets-2321.scope: Failed to add PIDs to scope's control group: No such process
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dsecrets-2321.scope: Failed with result 'resources'.
Dec 27 11:32:42 rysen-box systemd[2209]: Failed to start app-gnome-gnome\x2dkeyring\x2dsecrets-2321.scope - Application launched by gnome-session-binary.
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dssh-2323.scope: Couldn't move process 2323 to requested cgroup '/user.slice/user-1000.slice/user@1000.service/app.slice/app-gnome-gnome\x2dkeyring\x2dssh-2323.>
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dssh-2323.scope: Failed to add PIDs to scope's control group: No such process
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dssh-2323.scope: Failed with result 'resources'.
Dec 27 11:32:42 rysen-box systemd[2209]: Failed to start app-gnome-gnome\x2dkeyring\x2dssh-2323.scope - Application launched by gnome-session-binary.
Dec 27 11:32:42 rysen-box systemd[2209]: Started gnome-session-manager@gnome.service - GNOME Session Manager (session: gnome).
/app.slice/app-gnome-gnome\x2dkeyring\x2dssh-2323.>
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dssh-2323.scope: Failed to add PIDs to scope's control group: No such process
Dec 27 11:32:42 rysen-box systemd[2209]: app-gnome-gnome\x2dkeyring\x2dssh-2323.scope: Failed with result 'resources'.
Dec 27 11:32:42 rysen-box systemd[2209]: Failed to start app-gnome-gnome\x2dkeyring\x2dssh-2323.scope - Application launched by gnome-session-binary.
Dec 27 11:32:42 rysen-box systemd[2209]: Started gnome-session-manager@gnome.service - GNOME Session Manager (session: gnome).

My hard drive is encrypted and I am the only one who uses this computer. So, I enable auto login and set the keyring password blank. I’ve also tried disabling auto login, as well as setting a keyring password, but the issues persist.

I don’t know anything about PAM, but in case this helps, my /etc/pam.d/login:

#%PAM-1.0
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

I really don’t want to have to start from scratch with another fresh install. I’ve spent so much time setting up this new computer. I’m really hoping someone can help.

Fedora 39 (Design Suite)
AMD Rysen 5600X
AMD Radeon RX 6700 10GB LE
Kernel: 6.6.8-200.fc39.x86_64

1 Like

It looks like a service is failing to start.

Do you see gnome-keyring-daemon listed when you run systemctl status --user?

The output from systemctl --user --failed might also be informative.

1 Like

Hello and thanks for the reply.

I don’t see gnome-keyring-daemon in systemctl status --user.

systemctl --user --failed just returns:

  UNIT LOAD ACTIVE SUB DESCRIPTION
0 loaded units listed.

Yes, it appears the service is failing to start. But, I have no idea why, or how to fix it. The Arch Wiki entry about Gnome Keyring mentions adding two lines to /etc/pam.d/login:

auth       optional     pam_gnome_keyring.so
session    optional     pam_gnome_keyring.so auto_start

I might try that, since I’m not sure what else to do.

The Arch PAM files might not use the same system that Fedora Linux does. I’d hold off on making changes to the PAM files unless you’ve made changes to them previously and suspect that your customizations might be the source of the problem.

It looks like the config file that is responsible for starting gnome-keyring-daemon is /etc/xdg/autostart/gnome-keyring-secrets.desktop. In that file is the following line:

/usr/bin/gnome-keyring-daemon --start --components=secrets

Do you see any interesting output if you try to run that command manually from a gnome-terminal session?

I haven’t made any changes to the PAM files yet. I’ll hold off for now.

Running /usr/bin/gnome-keyring-daemon --start --components=secrets returns:

discover_other_daemon: 1SSH_AUTH_SOCK=/run/user/1000/keyring/ssh

And is it running now? Does it show up in the output of ps -ef | grep gnome-keyring?

Edit: Sorry, I pasted the wrong thing at first. Also, I’m a little confused about how this service is configured in Fedora Linux. My system also has a gnome-keyring-daemon.service.

$ systemctl status --user gnome-keyring-daemon.service
○ gnome-keyring-daemon.service - GNOME Keyring daemon
     Loaded: loaded (/usr/lib/systemd/user/gnome-keyring-daemon.service; disabled; preset: dis>
    Drop-In: /usr/lib/systemd/user/service.d
             └─10-timeout-abort.conf
     Active: inactive (dead)
TriggeredBy: ○ gnome-keyring-daemon.socket
riley       2551       1  0 10:17 ?        00:00:00 /usr/bin/gnome-keyring-daemon --daemonize --login
riley      19107   17065  0 14:08 pts/0    00:00:00 grep --color=auto gnome-keyring

It looks like there is a socket activation option for gnome-keyring. But it is disabled by default.

$ systemctl status --user gnome-keyring-daemon.socket
○ gnome-keyring-daemon.socket - GNOME Keyring daemon
     Loaded: loaded (/usr/lib/systemd/user/gnome-keyring-daemon.socket; disabled; preset: disa>
     Active: inactive (dead)
   Triggers: ● gnome-keyring-daemon.service
     Listen: /run/user/1000/keyring/control (Stream)

You might be able to enable that socket as a workaround if the normal startup isn’t working. I don’t know. It seems like that would be a simpler thing to try than messing with the PAM configuration though (especially since you can lock yourself out of your system by editing those PAM files).

I’d try systemctl --user enable --now gnome-keyring-daemon.socket and see if that helps. If not, it is easy to undo (just disable the service).

I ran systemctl --user enable --now gnome-keyring-daemon.socket.
Now systemctl status --user gnome-keyring-daemon.service returns:

○ gnome-keyring-daemon.service - GNOME Keyring daemon
     Loaded: loaded (/usr/lib/systemd/user/gnome-keyring-daemon.service>
    Drop-In: /usr/lib/systemd/user/service.d
             └─10-timeout-abort.conf
     Active: inactive (dead)
TriggeredBy: ● gnome-keyring-daemon.socket

I appreciate you taking the time to try and figure this out. I’ll have to add a few passwords to the keyring, then reboot/update to see if there are any changes.

Yeah, socket activation is a little different. It won’t actually run the service until something tries to access the keyring. I’ve never used that service to start the keyring. I’m just thinking it might work as a workaround. Also, I see that it passes --foreground when starting the daemon.

$ systemctl cat --user gnome-keyring-daemon.service
# /usr/lib/systemd/user/gnome-keyring-daemon.service
[Unit]
Description=GNOME Keyring daemon

Requires=gnome-keyring-daemon.socket

[Service]
Type=simple
StandardError=journal
ExecStart=/usr/bin/gnome-keyring-daemon --foreground --components="pkcs11,secrets" --control-d>
Restart=on-failure

[Install]
Also=gnome-keyring-daemon.socket
WantedBy=default.target

That option might provide more debugging information in the logs. (Or you could try re-running the full command from the command line with that --foreground parameter and see if you get any more info about what is going wrong.

Encryption is still a very new/beta feature for Fedora Linux and that sort of thing could easily be the source of the problem you are seeing. You might also want to check the SELinux permissons on your files. If they are wrong, that could prevent the gnome keyring from starting (though I would expect that to fail consistently if that were the problem).

So the command would look like this?

systemctl --user enable --now gnome-keyring-daemon.socket --foreground

Well, actually, you only need to enable the socket once. To just (re)start the service, you would run systemctl --user start gnome-keyring-daemon.socket.

But to see that output from running the command directly in the foreground, you would use /usr/bin/gnome-keyring-daemon --foreground --components="pkcs11,secrets".

You might want to stop the socket activation temporarily (systemctl --user stop gnome-keyring-daemon.socket) before you try to run the command directly from the terminal for debugging purposes.

Edit: And kill any processes from that service that might still be running in the background:

$ ps -ef | grep gnome-keyring
gregory     1368       1  0 13:02 ?        00:00:00 /usr/bin/gnome-keyring-daemon --daemonize --login
gregory     1384    1315  0 13:02 ?        00:00:00 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
gregory     8129    6409  0 15:34 pts/1    00:00:00 grep --color=auto gnome-keyring
$ killall gnome-keyring-daemon
[/usr/lib/systemd/user]$ ps -ef | grep gnome-keyring
gregory     8157    6409  0 15:35 pts/1    00:00:00 grep --color=auto gnome-keyring

OK, I ran the following commands:

systemctl --user stop gnome-keyring-daemon.socket
ps -ef | grep gnome-keyring
killall gnome-keyring-daemon
systemctl --user start gnome-keyring-daemon.socket

However, after I killed the process and restarted it, gnome-keyring-daemon didn’t show up in ps -ef | grep gnome-keyring (it was there before I killed it)

I’m going to try a reboot and see what happens. Thanks so much!

Wait, I might have an idea about what the problem is. Are you using password-less login with your drive encryption? E.g. something like what is described in this article:

Excerpt from Use systemd-cryptenroll with FIDO U2F or TPM2 to decrypt your disk:

When using biometrics, a U2F key, or any other method that does not require a passphrase to sign in to GNOME, the Login keyring cannot be unlocked automatically.

I encrypted my hard drive during the install process, same as I’ve done for years. So, yes I use auto-login or a password-less login. It would fall under this category from the article:

If you use LUKS encryption for your home partition and operate a single-user system, you could remove the passphrase from your keyring. This will leave your gnome keyring unencrypted at the file level. But it will still be encrypted at the block level by LUKS.

I have the same setup on my old desktop running F39 without any issues. The only difference that I can think of is the old desktop formated with EXT4 and upgraded to F39. The new desktop with a fresh F39 using BTFS (I think??)

I’ve tried switching to a password login. But, the same issues persisted, except that new keyrings named “Login” kept being created.

After trying the commands and rebooting, my keyring was gone -from Passwords and Keys app (still on the file system ~/.local/share/keyrings).

I added a network drive password, and the Proton VPN app’s secret/password. Reboot. The network drive’s password was still there, but Proton App’s was gone. Same as before.

EDIT: jourctl was the same:

Dec 28 10:17:55 rysen-box systemd[2529]: Failed to start app-gnome-gnome\x2dkeyring\x2dpkcs11-2638.scope - Application launched by gnome-session-binary.
Dec 28 10:17:55 rysen-box systemd[2529]: Started app-gnome-gnome\x2dkeyring\x2dsecrets-2642.scope - Application launched by gnome-session-binary.
Dec 28 10:17:55 rysen-box systemd[2529]: Started app-gnome-gnome\x2dkeyring\x2dssh-2644.scope - Application launched by gnome-session-binary.

I think I am going to have to nuke this install and start from scratch :pensive: I might to with F38 to be safe.

I appreciate all your help! :partying_face:

@bluepixels, I have exactly the same issue. As 2276060 – Secret Service unavailable (after update). explains, an update of Fedora 40 has broken GNOME’s Secret Service for me, and 15 updates later, it’s still not been remediated:

RokeJulianLockhart@sayw4i:~$ systemctl status --user gnome-keyring-daemon.socket
○ gnome-keyring-daemon.socket - GNOME Keyring daemon
     Loaded: loaded (/usr/lib/systemd/user/gnome-keyring-daemon.socket; disabled; preset: disabled)
     Active: inactive (dead)
   Triggers: ● gnome-keyring-daemon.service
     Listen: /run/user/1000/keyring/control (Stream)
RokeJulianLockhart@sayw4i:~$ systemctl status --user gnome-keyring-daemon.service
○ gnome-keyring-daemon.service - GNOME Keyring daemon
     Loaded: loaded (/usr/lib/systemd/user/gnome-keyring-daemon.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/user/service.d
             └─10-timeout-abort.conf
     Active: inactive (dead)
TriggeredBy: ○ gnome-keyring-daemon.socket

Should I enable the service and socket to manually diagnose it? I don’t want to misconfigure it, and consequently cause more problems.