Replacing Gnome Keyring with KeePassXC

Hello. I want to replace the default secret service, because it seems KeePassXC better protects the credentials. I use Cinnamon DE, LightDM with automatic login enabled and LUKS passphrase-encrypted drive.

I managed to temporary register KeePassXC as a secret service by killing gnome-keyring-daemon. Then I turned on KeePassXC autostart. Now to avoid conflict I need to disable gnome-keyring-daemon and unfortunately can’t find any way. I tried overriding /usr/share/dbus-1/services/org.freedesktop.secrets.service with ~/.local/share/dbus-1/services/org.freedesktop.secrets.service, overriding systemd user service gnome-keyring-daemon.service, removing /etc/xdg/autostart/gnome-keyring-secrets.desktop, greping /etc/X11. Despite that, after logging there is always a running process /usr/bin/gnome-keyring-daemon --daemonize --login.

First of all, the Internet doesn’t tell a lot about these things in Linux desktop, even though they’re so common. How it works, that the LUKS decryption passphrase somehow magically gets transported to GNOME keyring? What spawn it? Systemd? PAM? LightDM? D-Bus? How secure is this? And what is the correct way of replacing it with a different program?

Sometimes I feel like Linux is a total mess…

1 Like

You might also need to check if it is being started in your PAM stack.

$ grep pam_gnome_keyring /etc/pam.d/*

You probably need to use the authselect command to change your configuration to not use pam_gnome_keyring.

$ authselect list-features sssd
with-altfiles
with-ecryptfs
with-faillock
with-files-access-provider
with-files-domain
with-fingerprint
with-gssapi
with-libvirt
with-mdns4
with-mdns6
with-mkhomedir
with-pam-gnome-keyring
with-pam-u2f
with-pam-u2f-2fa
with-pamaccess
with-pwhistory
with-silent-lastlog
with-smartcard
with-smartcard-lock-on-removal
with-smartcard-required
with-subid
with-sudo
with-systemd-homed
without-nullok
without-pam-u2f-nouserok

I see this command for the first time. There’s indeed pam_gnome_keyring.so in /etc/pam.d files: cinnamon-screensaver, gdm-autologin, gdm-password and lightdm. Still don’t know what to do.

I’ve never tried to disable it (but I’ve been very temped many times). Does authselect current show it as enabled?

Let us know how it goes with disabling gnome-keyring. Others of us may do the same if your experience turns out well. :slightly_smiling_face:

sssd profile, features: with-silent-lastlog, with-fingerprint, with-mdns4.

Hmm, you might have found a bug. It looks like gnome-keyring shouldn’t be in the PAM stack if it isn’t enabled.

$ grep pam_gnome_keyring /usr/share/authselect/default/sssd/*
/usr/share/authselect/default/sssd/fingerprint-auth:auth        optional                                     pam_gnome_keyring.so only_if=login auto_start          {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/fingerprint-auth:session     optional                                     pam_gnome_keyring.so only_if=login auto_start          {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/password-auth:auth        optional                                     pam_gnome_keyring.so auto_start                        {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/password-auth:session     optional                                     pam_gnome_keyring.so auto_start                        {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/REQUIREMENTS:- with-pam-gnome-keyring is selected, make sure the pam_gnome_keyring module              {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/smartcard-auth:auth        optional                                     pam_gnome_keyring.so only_if=login auto_start          {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/smartcard-auth:session     optional                                     pam_gnome_keyring.so only_if=login auto_start          {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/system-auth:auth        optional                                     pam_gnome_keyring.so only_if=login auto_start          {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/system-auth:session     optional                                     pam_gnome_keyring.so only_if=login auto_start          {include if "with-pam-gnome-keyring"}

Edit: Ah, I see, authselect doesn’t manage those services (cinnamon-screensaver, gdm-autologin, gdm-password, and lightdm). I guess you’ll have to edit those files manually to get rid of it. :confused:

Be very careful editing those files. You can easily lock yourself out of your system. Also, beware that those files might get updated when their system packages are updated.

$ grep pam_gnome_keyring /etc/pam.d/*
/etc/pam.d/cinnamon-screensaver:-auth       optional     pam_gnome_keyring.so
/etc/pam.d/cinnamon-screensaver:#auth       optional     pam_gnome_keyring.so
/etc/pam.d/gdm-autologin:-auth      optional    pam_gnome_keyring.so
/etc/pam.d/gdm-autologin:session    optional    pam_gnome_keyring.so auto_start
/etc/pam.d/gdm-password:auth        optional      pam_gnome_keyring.so
/etc/pam.d/gdm-password:-password   optional       pam_gnome_keyring.so use_authtok
/etc/pam.d/gdm-password:session     optional      pam_gnome_keyring.so auto_start
/etc/pam.d/lightdm:-auth       optional    pam_gnome_keyring.so
/etc/pam.d/lightdm:-session    optional    pam_gnome_keyring.so auto_start
/etc/pam.d/passwd:-password   optional	pam_gnome_keyring.so use_authtok

Since all those lines show “optional”, I think you will be OK just commenting them out. However, watch out for things like [default=<N>] on earlier lines in the same stack. You might have to reduce <N> by 1 if that pam_gnome_keyring line was included before but no longer is (the <N> is the number of subsequent lines to jump over).

Again, I’ve never done this, so I don’t know how well trying to remove that will go. (It could go badly.)

I saw somewhere instruction which was renaming executable of GNOME’s default keyring. After restart KeePassXC took over key management completely.

1 Like

This might also be relevant:

TL;DR - there’s a way to do it via dbus service:

2 Likes

I am also very interested in doing this on KDE. Kwallet is an insecure mess, not sure if KeepassXC’s secret service is better though.

Can any app just query any password too?

2 Likes

I have written a script that in theory should disable gnome-keyring-daemon, but I’m afraid to actually run it. Can anyone review it? And where do I test it in? A VM?

cp /etc/xdg/autostart/gnome-keyring-secrets.desktop /etc/xdg/autostart/gnome-keyring-secrets.desktop.bak
cp /etc/xdg/autostart/gnome-keyring-pkcs11.desktop /etc/xdg/autostart/gnome-keyring-pkcs11.desktop.bak
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop /etc/xdg/autostart/gnome-keyring-pkcs11.desktop.bak
echo "X-GNOME-Autostart-enabled=false" >> /etc/xdg/autostart/gnome-keyring-secrets.desktop
echo "X-GNOME-Autostart-enabled=false" >> /etc/xdg/autostart/gnome-keyring-pkcs11.desktop
echo "X-GNOME-Autostart-enabled=false" >> /etc/xdg/autostart/gnome-keyring-ssh.desktop
sed -i -r -e 's/^(X-GNOME-Autostart-Phase=PreDisplayServer)/#\1/' /etc/xdg/autostart/gnome-keyring-{secrets,pkcs11,ssh}.desktop
sudo systemctl --system mask gnome-keyring-daemon.service
sudo systemctl --system mask gnome-keyring-daemon.socket
cp /etc/pam.d/gdm-autologin /etc/pam.d/gdm-autologin.bak
cp /etc/pam.d/gdm-password /etc/pam.d/gdm-password.bak
cp /etc/pam.d/passwd /etc/pam.d/passwd.bak
sed -i -r -e 's/^(-?)(auth|session|password)([ ]+|[\t]+)(optional)([ ]+|[\t]+)(pam_gnome_keyring)/\#\1\2\t\4\t\6/' /etc/pam.d/{gdm-autologin,gdm-password,passwd}

I also have a couple of questions:

  1. Will this break login sequence?
  2. Will this break AUTO login sequence?
  3. Will this break anything really?
  4. How can I save /etc state with rpm-ostree temporarily in ostree repo as a commit to revert to it if things break?

My system is Fedora Silverblue 40.

2 Likes

Added gnome-keyring, keepassxc, libsecret and removed gnome, workstation

Thanks, I will experiment with this on KDE too.

KWallet is seriously insecure and should not be used for any sensitive passwords. Any app can query whatever data from the storage

1 Like

Added kwallet

Tested it in a FSB40 VM. No changes. KeePassXC still can’t start because of gnome-keyring-daemon.

Doing sudo chmod -x /usr/bin/gnome-keyring-daemon is impossible on atomic ostree systems.

Obviously, same with sudo sed -i -E 's/Exec=.*/Exec=\/usr\/bin\/keepassxc/g' /usr/share/dbus-1/services/org.freedesktop.secrets.service. /usr is read-only.

1 Like

It’s very involved but :

  • Create a Custom PAM Configuration

  • Override Autostart Configurations

  • Override the D-Bus Service

1 Like

Can you share which bash commands to use?

Sure, but since these scripts I dug up are old, I need to give them a try again. So give me some time to come back to this. couple hours - tomorrow morning.

1 Like

the gnome keyring stuff may be in /etc/xdg/autostart/

You can disable it there by placing an empty file there.

also dont forget systemctl --user disable --now gnome-keyring-daemon and systemctl --user mask gnome-keyring daemon

and please use a VM to do big changes like these, or know the exact steps to revert them

1 Like