Skip to content

Instantly share code, notes, and snippets.

@Majlo34

Majlo34/howto.md

Last active February 19, 2026 12:01
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Majlo34/cbf059003ae91e1e49e9b00db7342628 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Majlo34/cbf059003ae91e1e49e9b00db7342628 to your computer and use it in GitHub Desktop.
Download ZIP
Unlock gnome-keyring with LUKS password in Ubuntu 24.04
Raw
howto.md

This is useful for folks like me who use auto-login in gnome and don't want unlock gnome-keyring every time during login.

Prerequisites

  • LUKS password and gnome-keyring passwords are same.
  • Ubuntu 24.04 (Could work in other versions, but I did not test it)

FYI : It will store first password you type. If you make mistake and type password 2nd time it wont work.

  1. Install required packages ( package keyutils contain command keyctl)
sudo apt install keyutils
  1. Edit /etc/crypttab, adding the option keyscript=decrypt_keyctl :
sudo vi /etc/crypttab

Example -->

dm_crypt-0 UUID=a19571ac-b032-4073-9ad9-a0a72189ca1b none luks,keyscript=decrypt_keyctl

  1. Edit /etc/pam.d/common-password, adding the option use_authtok to the GNOME keyring line

Example -->

password optional pam_gnome_keyring.so use_authtok

  1. Rebuild initramfs and reboot :
sudo update-initramfs -k all -c

sudo reboot now

After reboot

journalctl -b0 |grep gkr

Apr 10 18:18:03 dell-laptop gdm-autologin][1432]: gkr-pam: stashed password to try later in open session Apr 10 18:18:04 dell-laptop gdm-autologin][1432]: gkr-pam: unlocked login keyring

@73
Copy link

73 commented Mar 6, 2025

Works on Debian 12 "Bookworm"

@brandonlichtenwalner
Copy link

brandonlichtenwalner commented Nov 11, 2025
edited
Loading

Thank you!

I Confirmed that this solution still works on Debian 13 (Trixie).

I also confirmed that neither Debian 13 nor Fedora 43 exhibit the desired behavior out of the box, without these changes. I read that Fedora had this functionality "baked in" but it didn't work in my test case, so maybe it was removed/changed in a recent version.

EDIT:
In further testing I confirmed that you can skip step 3 (at least on Debian 13). The first time you access the keyring it will ask you for the password and there is a checkbox to automatically unlock the keyring when you log in. All you need to do is check the box and it will work as expected on all subsequent logins. This should fix the issue if you mistype your password the first time unlocking LUKS and I believe it will also let you use a separate password for the keyring, but I haven't tested it.

I baked it into Ansible tasks, if it's helpful to anyone:

# keyutils is installed earlier in the tasks file

  - name: check if keyscript option has already been added to crypttab
    register: keyscript_option
    changed_when: false
    check_mode: true
    ansible.builtin.lineinfile:
      path: /etc/crypttab
      search_string: 'keyscript=decrypt_keyctl'
      state: absent

  - name: ensure keyscript is used for automatic keyring unlocking in Gnome
    when: (crypttab_file.stat.exists) and (not keyscript_option.found) and ('gdm3' in ansible_facts.packages)
    notify: "update initramfs"
    ansible.builtin.lineinfile:
      path: /etc/crypttab
      backrefs: true
      regexp: '^(.*_crypt.*UUID=.*luks.*)$'
      line: '\1,keyscript=decrypt_keyctl'

# I have my handlers separate in my main playbook(s)

  handlers:
  - name: "update initramfs"
    command: update-initramfs -k all -c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment