For face or fingerprint unlock methods that log in but don't unlock the keyring
This works on Pop OS and probably any Ubuntu based distro
Uses https://codeberg.org/umglurf/gnome-keyring-unlock and https://github.com/tpm2-software/tpm2-tools
This is required to use the TPM
sudo usermod -aG tss your_username
log out and back in, and check that you are in the tss group:
groups
sudo apt install tpm2-tools
git clone https://codeberg.org/umglurf/gnome-keyring-unlock.git
mkdir -p ~/.tpm && cd ~/.tpm
tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -Gaes128 -u key.pub -r key.priv
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
read password
tpm2_encryptdecrypt -c key.ctx -o password.enc <<<$password
Save the following as ~/Scripts/unlockKeyring.sh:
#!/bin/bash
# Load a TPM Context key, decode password and unlock the gnome keyring
tpm2_createprimary -Q -c ~/.tpm/primary.ctx
tpm2_load -Q -C ~/.tpm/primary.ctx -u ~/.tpm/key.pub -r ~/.tpm/key.priv -c ~/.tpm/key.ctx
tpm2_encryptdecrypt -Qd -c ~/.tpm/key.ctx ~/.tpm/password.enc | ~/gnome-keyring-unlock/unlock.py
Add the following to the end of your ~/.profile:
# Wait 5 seconds then try to unlock the keyring
(sleep 5; ~/Scripts/unlockKeyring.sh &> ~/Scripts/unlockKeyring.log) &
Thanks @maksims-terjohins for the updated instructions, my tpm is also lacking the encryptdecrypt capability so your instructions worked well. One thing I'm wondering is if you can explain using this set up what the tpm commands actually do. It seems to me the password is just decrypted using openssl and passed to the unlock.py script. What do the preceding tpm lines do for the process?