UnlockGnomeKeyring.md

Automatically Unlock Gnome Keyring on Login on Pop OS or Ubuntu

For face or fingerprint unlock methods that log in but don't unlock the keyring

This works on Pop OS and probably any Ubuntu based distro

Uses https://codeberg.org/umglurf/gnome-keyring-unlock and https://github.com/tpm2-software/tpm2-tools

Add yourself to the tss group

This is required to use the TPM

sudo usermod -aG tss your_username

log out and back in, and check that you are in the tss group:

groups

Set up Dependencies

sudo apt install tpm2-tools
git clone https://codeberg.org/umglurf/gnome-keyring-unlock.git

Set up TPM keys and context

mkdir -p ~/.tpm && cd ~/.tpm
tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -Gaes128 -u key.pub -r key.priv
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx

Encrypt password

read password
tpm2_encryptdecrypt -c key.ctx -o password.enc <<<$password

Create Unlock Script

Save the following as ~/Scripts/unlockKeyring.sh:

#!/bin/bash
# Load a TPM Context key, decode password and unlock the gnome keyring
tpm2_createprimary -Q -c ~/.tpm/primary.ctx
tpm2_load -Q -C ~/.tpm/primary.ctx -u ~/.tpm/key.pub -r ~/.tpm/key.priv -c ~/.tpm/key.ctx
tpm2_encryptdecrypt -Qd -c ~/.tpm/key.ctx ~/.tpm/password.enc | ~/gnome-keyring-unlock/unlock.py

Make it run on login

Add the following to the end of your ~/.profile:

# Wait 5 seconds then try to unlock the keyring
(sleep 5; ~/Scripts/unlockKeyring.sh &> ~/Scripts/unlockKeyring.log) &

Hi all! I've just followed the steps adjusting by @maksims-terjohins and am encountering the below error extracted from the log file. Anyone able to help?

ERROR: Error opening file "/home/jaystocky/.tpm/primary.ctx" due to error: Permission denied
ERROR: Failed saving object context.
ERROR: Unable to run tpm2_createprimary
ERROR: Incorrect handle value, got: "/home/jaystocky/.tpm/primary.ctx", expected expected [o|p|e|n|l] or a handle number
ERROR: Unable to read as BIO file
ERROR: Unable to fetch public/private portions of TSS PRIVKEY
ERROR: Cannot make sense of object context "/home/jaystocky/.tpm/primary.ctx"
ERROR: Unable to run tpm2_load
Unlock denied

Hi!

TLDR: chmod 660 primary.ctx

Try to set access permissions for primary.ctx to 660, also written as -rw-rw----. In my case it works fine. Use chmod 660 primary.ctx when inside .tpm dir. You should result with something like -rw-rw---- 1 jaystocky jaystocky 1532 dec 4 10:39 primary.ctx when running ls -l within the .tpm directory. The key is to have -rw-rw---- in the line with the primary.ctx.
If your file already has required permissions set, make sure your directory is accessible from for the scripts running the Unlock thing.
If both file and directory has access permissions set, make sure you are running the script by authorized user. If the unlockKeyring.sh is laucnhed by user other than jaystocky , there might be issue as well.

Thanks @maksims-terjohins i think that fixed it! The only issue I'm having now is that I'm still getting the two errors when I load into the OS asking me for the keyring password, but if I ignore them and then check passwords & keys I can see that it's unlocked!

Thanks @maksims-terjohins i think that fixed it! The only issue I'm having now is that I'm still getting the two errors when I load into the OS asking me for the keyring password, but if I ignore them and then check passwords & keys I can see that it's unlocked!

It looks to me that the script runs to late in OS startup process, since you eventually get it unlocked without entering the password. You might want to play with the sleep duration in your ~/.profile. I would start with removing the sleep 5; command and see if keyring still gets unlocked. If it breaks, try adding some non-zero time, but less than 5 seconds. May be you will find the right delay that fits your concrete OS instance and unlocks the keyring yet without prompting the password.

@maksims-terjohins given that a test, changed sleep 5 to sleep 0, sleep 1 etc and all still result in me having to dismiss three pop-ups despite the keyring being unlocked when i check afterwards! odd.

Thanks @maksims-terjohins for the updated instructions, my tpm is also lacking the encryptdecrypt capability so your instructions worked well. One thing I'm wondering is if you can explain using this set up what the tpm commands actually do. It seems to me the password is just decrypted using openssl and passed to the unlock.py script. What do the preceding tpm lines do for the process?

tpm2_createprimary -Q -c ~/.tpm/primary.ctx
tpm2_load -Q -C $HOME/.tpm/primary.ctx -u $HOME/.tpm/key.pub -r $HOME/.tpm/key.priv -c $HOME/.tpm/key.ctx