Replacing Gnome Keyring with KeePassXC

Hello. I want to replace the default secret service, because it seems KeePassXC better protects the credentials. I use Cinnamon DE, LightDM with automatic login enabled and LUKS passphrase-encrypted drive.

I managed to temporary register KeePassXC as a secret service by killing gnome-keyring-daemon. Then I turned on KeePassXC autostart. Now to avoid conflict I need to disable gnome-keyring-daemon and unfortunately can’t find any way. I tried overriding /usr/share/dbus-1/services/org.freedesktop.secrets.service with ~/.local/share/dbus-1/services/org.freedesktop.secrets.service, overriding systemd user service gnome-keyring-daemon.service, removing /etc/xdg/autostart/gnome-keyring-secrets.desktop, greping /etc/X11. Despite that, after logging there is always a running process /usr/bin/gnome-keyring-daemon --daemonize --login.

First of all, the Internet doesn’t tell a lot about these things in Linux desktop, even though they’re so common. How it works, that the LUKS decryption passphrase somehow magically gets transported to GNOME keyring? What spawn it? Systemd? PAM? LightDM? D-Bus? How secure is this? And what is the correct way of replacing it with a different program?

Sometimes I feel like Linux is a total mess…

1 Like

You might also need to check if it is being started in your PAM stack.

$ grep pam_gnome_keyring /etc/pam.d/*

You probably need to use the authselect command to change your configuration to not use pam_gnome_keyring.

$ authselect list-features sssd

I see this command for the first time. There’s indeed in /etc/pam.d files: cinnamon-screensaver, gdm-autologin, gdm-password and lightdm. Still don’t know what to do.

I’ve never tried to disable it (but I’ve been very temped many times). Does authselect current show it as enabled?

Let us know how it goes with disabling gnome-keyring. Others of us may do the same if your experience turns out well. :slightly_smiling_face:

sssd profile, features: with-silent-lastlog, with-fingerprint, with-mdns4.

Hmm, you might have found a bug. It looks like gnome-keyring shouldn’t be in the PAM stack if it isn’t enabled.

$ grep pam_gnome_keyring /usr/share/authselect/default/sssd/*
/usr/share/authselect/default/sssd/fingerprint-auth:auth        optional                            only_if=login auto_start          {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/fingerprint-auth:session     optional                            only_if=login auto_start          {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/password-auth:auth        optional                            auto_start                        {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/password-auth:session     optional                            auto_start                        {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/REQUIREMENTS:- with-pam-gnome-keyring is selected, make sure the pam_gnome_keyring module              {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/smartcard-auth:auth        optional                            only_if=login auto_start          {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/smartcard-auth:session     optional                            only_if=login auto_start          {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/system-auth:auth        optional                            only_if=login auto_start          {include if "with-pam-gnome-keyring"}
/usr/share/authselect/default/sssd/system-auth:session     optional                            only_if=login auto_start          {include if "with-pam-gnome-keyring"}

Edit: Ah, I see, authselect doesn’t manage those services (cinnamon-screensaver, gdm-autologin, gdm-password, and lightdm). I guess you’ll have to edit those files manually to get rid of it. :confused:

Be very careful editing those files. You can easily lock yourself out of your system. Also, beware that those files might get updated when their system packages are updated.

$ grep pam_gnome_keyring /etc/pam.d/*
/etc/pam.d/cinnamon-screensaver:-auth       optional
/etc/pam.d/cinnamon-screensaver:#auth       optional
/etc/pam.d/gdm-autologin:-auth      optional
/etc/pam.d/gdm-autologin:session    optional auto_start
/etc/pam.d/gdm-password:auth        optional
/etc/pam.d/gdm-password:-password   optional use_authtok
/etc/pam.d/gdm-password:session     optional auto_start
/etc/pam.d/lightdm:-auth       optional
/etc/pam.d/lightdm:-session    optional auto_start
/etc/pam.d/passwd:-password   optional use_authtok

Since all those lines show “optional”, I think you will be OK just commenting them out. However, watch out for things like [default=<N>] on earlier lines in the same stack. You might have to reduce <N> by 1 if that pam_gnome_keyring line was included before but no longer is (the <N> is the number of subsequent lines to jump over).

Again, I’ve never done this, so I don’t know how well trying to remove that will go. (It could go badly.)

I saw somewhere instruction which was renaming executable of GNOME’s default keyring. After restart KeePassXC took over key management completely.

1 Like

This might also be relevant:

TL;DR - there’s a way to do it via dbus service:


I am also very interested in doing this on KDE. Kwallet is an insecure mess, not sure if KeepassXC’s secret service is better though.

Can any app just query any password too?


I have written a script that in theory should disable gnome-keyring-daemon, but I’m afraid to actually run it. Can anyone review it? And where do I test it in? A VM?

cp /etc/xdg/autostart/gnome-keyring-secrets.desktop /etc/xdg/autostart/gnome-keyring-secrets.desktop.bak
cp /etc/xdg/autostart/gnome-keyring-pkcs11.desktop /etc/xdg/autostart/gnome-keyring-pkcs11.desktop.bak
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop /etc/xdg/autostart/gnome-keyring-pkcs11.desktop.bak
echo "X-GNOME-Autostart-enabled=false" >> /etc/xdg/autostart/gnome-keyring-secrets.desktop
echo "X-GNOME-Autostart-enabled=false" >> /etc/xdg/autostart/gnome-keyring-pkcs11.desktop
echo "X-GNOME-Autostart-enabled=false" >> /etc/xdg/autostart/gnome-keyring-ssh.desktop
sed -i -r -e 's/^(X-GNOME-Autostart-Phase=PreDisplayServer)/#\1/' /etc/xdg/autostart/gnome-keyring-{secrets,pkcs11,ssh}.desktop
sudo systemctl --system mask gnome-keyring-daemon.service
sudo systemctl --system mask gnome-keyring-daemon.socket
cp /etc/pam.d/gdm-autologin /etc/pam.d/gdm-autologin.bak
cp /etc/pam.d/gdm-password /etc/pam.d/gdm-password.bak
cp /etc/pam.d/passwd /etc/pam.d/passwd.bak
sed -i -r -e 's/^(-?)(auth|session|password)([ ]+|[\t]+)(optional)([ ]+|[\t]+)(pam_gnome_keyring)/\#\1\2\t\4\t\6/' /etc/pam.d/{gdm-autologin,gdm-password,passwd}

I also have a couple of questions:

  1. Will this break login sequence?
  2. Will this break AUTO login sequence?
  3. Will this break anything really?
  4. How can I save /etc state with rpm-ostree temporarily in ostree repo as a commit to revert to it if things break?

My system is Fedora Silverblue 40.


Added gnome-keyring, keepassxc, libsecret and removed gnome, workstation

Thanks, I will experiment with this on KDE too.

KWallet is seriously insecure and should not be used for any sensitive passwords. Any app can query whatever data from the storage

1 Like

Added kwallet

Tested it in a FSB40 VM. No changes. KeePassXC still can’t start because of gnome-keyring-daemon.

Doing sudo chmod -x /usr/bin/gnome-keyring-daemon is impossible on atomic ostree systems.

Obviously, same with sudo sed -i -E 's/Exec=.*/Exec=\/usr\/bin\/keepassxc/g' /usr/share/dbus-1/services/org.freedesktop.secrets.service. /usr is read-only.

1 Like

It’s very involved but :

  • Create a Custom PAM Configuration

  • Override Autostart Configurations

  • Override the D-Bus Service

1 Like

Can you share which bash commands to use?

Sure, but since these scripts I dug up are old, I need to give them a try again. So give me some time to come back to this. couple hours - tomorrow morning.

1 Like

the gnome keyring stuff may be in /etc/xdg/autostart/

You can disable it there by placing an empty file there.

also dont forget systemctl --user disable --now gnome-keyring-daemon and systemctl --user mask gnome-keyring daemon

and please use a VM to do big changes like these, or know the exact steps to revert them

1 Like