How to unlock Gnome keyring by entering one luks passphrase at boot and autologin gdm enabled?

I have installed Garuda Linux with two separate LUKS encrypted partitions, where the root filesystem including /boot are on one partition and home folder on another. Each having the same luks passphrase. I have been trying to setup autologin to the Gnome Keyring by entering just one Luks passphrase at boot. Thusfar unsuccesfuly. Comming from Fedora I know this is possible and according to the Arch wiki on GNOME/Keyring it should be possible on an Arch based distribution too:

• Alternatively, if using GDM and LUKS, GDM can unlock your keyring if it matches your LUKS password. For this to work, you need to use the systemd init in your mkinitcpio.conf as well as the appropriate kernel parameters.

So I have added the following hooks to my mkinitcpio.conf:
HOOKS="base systemd autodetect modconf keyboard sd-vconsole block sd-plymouth sd-encrypt filesystems grub-btrfs-overlayfs"

Enabling booting from the systemd-cryptsetup-generator and added the folowing kernel parameters:
rd.luks.name=MY-CRYPTROOT-PARTITION-UUID-101=luks-MY-CRYPTROOT-PARTITION-UUID-101
rd.luks.name=MY-CRYPTHOME-PARTITION-UUID-102=luks-MY-CRYPTHOME-PARTITION-UUID-102
root=/dev/mapper/luks-MY-CRYPTROOT-PARTITION-UUID-101
rd.luks.key=/crypto_keyfile.bin

This would ensure that passwords entered in the password prompt are cached in the kernel keyring and can then be passed to the gnome keyring by configuring the pam_gnome_keyring.so module by adding the necessary lines to the file in/etc/pam.d/login. There are some additional gdm pam configuration files in /etc/pam.d/ that allready include these lines.

After recreating the initramfs image sudo mkinitcpio -P and updating grub grubup I rebooted the pc entered my luks passphrase and still got promted to enter my gnome keyring password, which is the same as my luks and gdm user password. However if I don't use autologin I get promted at boot and before a gnome session and then the keyring does automatically unlock.

according to this reddit post there is an additional pam_gdm module that passes the password stored in the kernel keyring to gdm. This is not mentioned in the Arch wiki, but I gave it a shot and added the auth [success=ok default=1] pam_gdm.so lines before the pam_gnome_keyring.so lines in the pam configuration files. But this wasn't succesful either.

I think I have exhausted every possible solution to get a one time password at boot to unlock the gnome keyring to work, but I might be missing something. I trust someone out here knows more about the technical details so please if you have any suggestion let me know. Your help would be much appreciated.

Welcome to the forum can you provide your

garuda-inxi

As per the forum template

garuda-inxi                                                                                                                       (base) 
System:
  Kernel: 6.1.12-zen1-1-zen arch: x86_64 bits: 64 compiler: gcc v: 12.2.1
    parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-zen
    root=UUID=7a3a6005-8f99-4995-8d84-775500b433b0 rw rootflags=subvol=@
    quiet
    rd.luks.name=84fc4a39-4cb7-4b90-9cbc-6bf2a3167dd7=luks-84fc4a39-4cb7-4b90-9cbc-6bf2a3167dd7
    rd.luks.name=ddf9e2d4-0455-410b-b097-96c401dd6bf1=luks-ddf9e2d4-0455-410b-b097-96c401dd6bf1
    root=/dev/mapper/luks-84fc4a39-4cb7-4b90-9cbc-6bf2a3167dd7
    rd.luks.key=/crypto_keyfile.bin rd.luks.options=discard quiet splash
    rd.udev.log_priority=3 vt.global_cursor_default=0 loglevel=3 ibt=off
  Desktop: GNOME v: 43.3 tk: GTK v: 3.24.36 wm: gnome-shell dm: GDM v: 43.0
    Distro: Garuda Linux base: Arch Linux
Machine:
  Type: Desktop System: HP product: HP EliteOne 800 G3 23.8-in Touch AiO
    v: N/A serial: <superuser required> Chassis: type: 13
    serial: <superuser required>
  Mobo: HP model: 829B v: KBC Version 06.29 serial: <superuser required>
    UEFI: HP v: P11 Ver. 02.34 date: 04/27/2020
CPU:
  Info: model: Intel Core i7-7700 bits: 64 type: MT MCP arch: Kaby Lake
    gen: core 7 level: v3 note: check built: 2018 process: Intel 14nm family: 6
    model-id: 0x9E (158) stepping: 9 microcode: 0xF0
  Topology: cpus: 1x cores: 4 tpc: 2 threads: 8 smt: enabled cache:
    L1: 256 KiB desc: d-4x32 KiB; i-4x32 KiB L2: 1024 KiB desc: 4x256 KiB
    L3: 8 MiB desc: 1x8 MiB
  Speed (MHz): avg: 1783 high: 3600 min/max: 800/4200 scaling:
    driver: intel_pstate governor: powersave cores: 1: 1225 2: 1151 3: 3600
    4: 1200 5: 1100 6: 3600 7: 1200 8: 1192 bogomips: 57600
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
  Vulnerabilities: <filter>
Graphics:
  Device-1: Intel HD Graphics 630 vendor: Hewlett-Packard driver: i915
    v: kernel arch: Gen-9.5 process: Intel 14nm built: 2016-20 ports:
    active: eDP-1 empty: DP-1,DP-2,HDMI-A-1 bus-ID: 00:02.0 chip-ID: 8086:5912
    class-ID: 0300
  Device-2: Sunplus Innovation HP 2.0MP High Definition Webcam type: USB
    driver: uvcvideo bus-ID: 1-13:6 chip-ID: 1bcf:2c97 class-ID: 0e02
  Display: x11 server: X.Org v: 21.1.7 with: Xwayland v: 22.1.8
    compositor: gnome-shell driver: X: loaded: modesetting
    alternate: fbdev,intel,vesa dri: iris gpu: i915 display-ID: :0 screens: 1
  Screen-1: 0 s-res: 1920x1080 s-dpi: 96 s-size: 508x285mm (20.00x11.22")
    s-diag: 582mm (22.93")
  Monitor-1: eDP-1 res: 1920x1080 hz: 60 size: N/A modes: 1920x1080
  API: OpenGL Message: Unable to show GL data. Required tool glxinfo
    missing.
Audio:
  Device-1: Intel 200 Series PCH HD Audio vendor: Hewlett-Packard
    driver: snd_hda_intel v: kernel bus-ID: 00:1f.3 chip-ID: 8086:a2f0
    class-ID: 0403
  Sound API: ALSA v: k6.1.12-zen1-1-zen running: yes
  Sound Server-1: PulseAudio v: 16.1 running: no
  Sound Server-2: PipeWire v: 0.3.65 running: yes
Network:
  Device-1: Intel Ethernet I219-LM vendor: Hewlett-Packard driver: e1000e
    v: kernel port: N/A bus-ID: 00:1f.6 chip-ID: 8086:15e3 class-ID: 0200
  IF: eno1 state: up speed: 1000 Mbps duplex: full mac: <filter>
  Device-2: Intel Wireless 8265 / 8275 driver: iwlwifi v: kernel pcie:
    gen: 1 speed: 2.5 GT/s lanes: 1 bus-ID: 03:00.0 chip-ID: 8086:24fd
    class-ID: 0280
  IF: wlp3s0 state: down mac: <filter>
Bluetooth:
  Device-1: Intel Bluetooth wireless interface type: USB driver: btusb v: 0.8
    bus-ID: 1-14:7 chip-ID: 8087:0a2b class-ID: e001
  Report: bt-adapter ID: hci0 rfk-id: 0 state: down
    bt-service: enabled,running rfk-block: hardware: no software: yes
    address: <filter>
Drives:
  Local Storage: total: 1.62 TiB used: 212.04 GiB (12.8%)
  SMART Message: Required tool smartctl not installed. Check --recommends
  ID-1: /dev/mmcblk0 maj-min: 179:0 model: 00000 size: 1.82 GiB block-size:
    physical: 512 B logical: 512 B type: SSD serial: <filter> scheme: MBR
  ID-2: /dev/nvme0n1 maj-min: 259:4 vendor: Samsung
    model: MZVLW256HEHP-000H1 size: 238.47 GiB block-size: physical: 512 B
    logical: 512 B speed: 31.6 Gb/s lanes: 4 type: SSD serial: <filter>
    rev: CXB70H1Q temp: 27.9 C scheme: GPT
  ID-3: /dev/nvme1n1 maj-min: 259:0 vendor: Samsung model: SSD 970 PRO 1TB
    size: 953.87 GiB block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s
    lanes: 4 type: SSD serial: <filter> rev: 1B2QEXP7 temp: 28.9 C scheme: GPT
  ID-4: /dev/sda maj-min: 8:0 type: USB vendor: Western Digital
    model: WD Elements 1042 size: 465.76 GiB block-size: physical: 512 B
    logical: 512 B type: N/A serial: <filter> rev: 1019 scheme: GPT
Partition:
  ID-1: / raw-size: 60 GiB size: 60 GiB (100.00%) used: 45.14 GiB (75.2%)
    fs: btrfs dev: /dev/dm-0 maj-min: 254:0
    mapped: luks-84fc4a39-4cb7-4b90-9cbc-6bf2a3167dd7
  ID-2: /boot/efi raw-size: 512 MiB size: 511 MiB (99.80%)
    used: 756 KiB (0.1%) fs: vfat dev: /dev/nvme1n1p3 maj-min: 259:3
  ID-3: /home raw-size: 893.36 GiB size: 893.36 GiB (100.00%)
    used: 41.58 GiB (4.7%) fs: btrfs dev: /dev/dm-1 maj-min: 254:1
    mapped: luks-ddf9e2d4-0455-410b-b097-96c401dd6bf1
  ID-4: /var/log raw-size: 60 GiB size: 60 GiB (100.00%)
    used: 45.14 GiB (75.2%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
    mapped: luks-84fc4a39-4cb7-4b90-9cbc-6bf2a3167dd7
  ID-5: /var/tmp raw-size: 60 GiB size: 60 GiB (100.00%)
    used: 45.14 GiB (75.2%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
    mapped: luks-84fc4a39-4cb7-4b90-9cbc-6bf2a3167dd7
Swap:
  Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default)
  ID-1: swap-1 type: zram size: 15.5 GiB used: 0 KiB (0.0%) priority: 100
    dev: /dev/zram0
Sensors:
  System Temperatures: cpu: 41.0 C mobo: N/A
  Fan Speeds (RPM): N/A
Info:
  Processes: 352 Uptime: 3h 35m wakeups: 3 Memory: 15.5 GiB
  used: 5.18 GiB (33.4%) Init: systemd v: 253 default: graphical
  tool: systemctl Compilers: gcc: 12.2.1 Packages: 1496 pm: pacman pkgs: 1472
  libs: 359 tools: gnome-software,pamac,paru pm: rpm pkgs: 0 pm: appimage
  pkgs: 0 pm: flatpak pkgs: 24 Shell: fish v: 3.6.0 default: Bash v: 5.1.16
  running-in: gnome-terminal inxi: 3.3.25
Garuda (2.6.14-1):
  System install date:     2023-01-31
  Last full system update: 2023-02-17
  Is partially upgraded:   No
  Relevant software:       snapper NetworkManager mkinitcpio
  Windows dual boot:       Probably (Run as root to verify)
  Failed units:  

Your configuration looks good, as far as I can tell. A cursory search for this issue reveals you are far from the only person with this issue (even on the mighty Fedora forum, here and here).

I did see a couple random reports of success from folks who installed Seahorse and changed the keyring password, then changed it back again. It sounds pretty flimsy, but if you take a look at the Gnome wiki article (Gnome Keyring: Automatic Unlocking / PAM), it does sound like something happens when the password is changed.

When the user changes their password, the PAM module changes the password of the ‘login’ keyring to match.

• Again, here gnome-keyring-daemon is started if necessary.
• If root changes the password, or /etc/shadow is directly edited then due to the lack of the old password, the ‘login’ keyring cannot be updated.

It kind of seems like the equivalent of turning it off and back on again, but may be worth a shot.

The only other thing that stands out to me is here, where they note a line should be added to /etc/pam.d/passwd:

In /etc/pam.d/passwd, add a line like this to the ‘password’ block:

password        optional        pam_gnome_keyring.so

I can’t figure out if /etc/pam.d/passwd is actually relevant to an autologin, or for that matter relevant to a login that GDM is handling period. The documentation available for Pam is super dense, and my attention span forced me to bail before I was able to get a straight answer.

Thanks for taking the effort to dip into the subject. I have changed the password back and forth, even decided to romove all the config files and then create the default login entry as the default keyring echo "login" > ~/.local/share/keyrings/default. According to the Gnome Keyring: Automatic Unlocking / PAM article the login keyring would be created when logging in after a reboot. This is not the case, as also others have concluded, so I created a new login keyring which is allready marked as the default keyring. Rebooted and then nothing happened, still had to login manually.

I still believe it is possible because I have seen this post about someone who got it to work on Arch The arch wiki on gnome keyring points to this article:

See [1] for more details.

Maybe this could be a Garuda Linux specific problem since the output of jctl points to an error with some systemd application and also gkr-pam: couldn't unlock the login keyring:

jctl private bin

While googling for the journalctl error: gkr-pam: couldn't unlock the login keyring I found out that this can be circumvented by masking the Gnome keyring daemon as per systemctl --user mask gnome-keyring-daemon.service and systemctl --user mask gnome-keyring-daemon.socket. It is also sort of described on the archwiki. However I still did not get autologin unlocking Gnome keyring to work. journalctl -p 3 -xb hints to that there is some systemd unit that failed to get started, but I can't quite figure out what particular unit it is. Here is the output of jctl:

feb 20 20:42:18 archlinux kernel: x86/cpu: SGX disabled by BIOS.
feb 20 20:42:24 Garuda systemd-udevd[438]: /usr/lib/udev/rules.d/51-trezor.rules:11 Unknown group 'trezord', ignoring
feb 20 20:42:24 Garuda systemd-udevd[438]: /usr/lib/udev/rules.d/51-trezor.rules:12 Unknown group 'trezord', ignoring
feb 20 20:42:24 Garuda systemd-udevd[438]: /usr/lib/udev/rules.d/51-trezor.rules:15 Unknown group 'trezord', ignoring
feb 20 20:42:24 Garuda systemd-udevd[438]: /usr/lib/udev/rules.d/51-trezor.rules:16 Unknown group 'trezord', ignoring
feb 20 20:42:24 Garuda systemd-udevd[438]: /usr/lib/udev/rules.d/51-trezor.rules:17 Unknown group 'trezord', ignoring
feb 20 20:42:25 Garuda systemd-tmpfiles[581]: Failed to write file "/sys/module/pcie_aspm/parameters/policy": Operation not permitted
feb 20 20:42:25 Garuda bluetoothd[590]: src/plugin.c:plugin_init() Failed to init vcp plugin
feb 20 20:42:25 Garuda bluetoothd[590]: src/plugin.c:plugin_init() Failed to init mcp plugin
feb 20 20:42:25 Garuda bluetoothd[590]: src/plugin.c:plugin_init() Failed to init bap plugin
feb 20 20:42:25 Garuda bluetoothd[590]: Failed to set mode: Failed (0x03)
feb 20 20:42:27 Garuda systemd[2166]: Failed to start Application launched by gnome-session-binary.
░░ Subject: A start job for unit UNIT has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit UNIT has finished with a failure.
░░ 
░░ The job identifier is 160 and the job result is failed.
feb 20 20:42:27 Garuda systemd[2166]: Failed to start Application launched by gnome-session-binary.
░░ Subject: A start job for unit UNIT has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit UNIT has finished with a failure.
░░ 
░░ The job identifier is 164 and the job result is failed.
feb 20 20:42:46 Garuda sudo[3804]:     ejan : a password is required ; TTY=pts/0 ; PWD=/home/ejan ; USER=root ; COMMAND=/usr/bin/true
feb 20 20:43:00 Garuda sudo[4794]:     ejan : a password is required ; TTY=pts/0 ; PWD=/home/ejan ; USER=root ; COMMAND=/usr/bin/true

Again any help would be appreciated very much.

Edit: Just found out from a broader journalctl -p 4 -xb logfile the application is probably the gnome keyring:

feb 20 22:28:57 Garuda systemd[2158]: app-gnome-gnome\x2dkeyring\x2dpkcs11-2656.scope: Failed to add PIDs to scope's control group: No such process
feb 20 22:28:57 Garuda systemd[2158]: app-gnome-gnome\x2dkeyring\x2dpkcs11-2656.scope: Failed with result 'resources'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit UNIT has entered the 'failed' state with result 'resources'.
feb 20 22:28:57 Garuda systemd[2158]: Failed to start Application launched by gnome-session-binary.

The question remains; What could be the reason it failed to get started?

This appears to be a long-standing Gnome bug, affecting pretty much every distro across several versions of Gnome.

Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=1973058

Fedora: Two errors after starting the GNOME desktop - #8 by tronde - Fedora Discussion

Debian: debian - systemd: Failed to start Application launched by gnome-session-binary - Unix & Linux Stack Exchange

Manjaro: Failed to start Application launched by gnome-session-binary - GNOME - Manjaro Linux Forum

Zorin: Failed to Start Application launched by Gnome session binary - General Help - Zorin Forum

Gentoo: 849116 – gnome-base/gnome-session: Failed to start Application launched by gnome-session-binary.

This person has been chased by the bug across several Ubuntu releases and into Fedora: https://libreddit.garudalinux.org/r/gnome/comments/oknd9c/failed_to_start_application_launched_by/

I think I found the thread with this suggestion: https://libreddit.garudalinux.org/r/archlinux/comments/yry43x/found_solution_to_journalctl_error_gnomekeyring/

I think the author’s claim that they found a “solution” is an overstatement; really, they just found a way to get the error message to stop showing up. They noted that this “solution” does not resolve the behavior you have described where you must either log in or manually unlock the keyring:

gnome-keyring always works as intended, although some apps will require your pass if you use autologin as usual.

In the Zorin thread, a comment suggests it may be triggered by certain hardware configurations, although they didn’t really elaborate on that theory. Just curious though: when you had this setup working correctly on Fedora was it the same hardware setup you are using now?

Actually the post I refer to was here on the Manjaro forum, but it has the same gist. I think you’re right about this being a band-aid solution. The archwiki documentation on Gnome Keyring they refer to is this part where it’s talking about the discover_other_daemon: 1 terminal message, which also shows up in my journalclt. It offers as a solution to either remove the --start option after gnome-keyring-daemon in ~/.bash_profile, ~/.xinitrc etc. or disable the the gnome-keyring-daemon.service and gnome-keyring-daemon.socket user units. I have tried that but when I check for the status it just stays enabled.

It was the same hardware indeed, but to be frank it wasn’t the same full disk Luks encryption because on Fedora I had the /boot directory on a separate partition. So autologin was not possible in that setup. It wasn’t until I immersed myself into the possibility to use a single password upon boot that I stumbled on this bug. Anyway, I suppose it’s better to let go of the idea and still choose to login as a user. That way the keyring does get unlocked. Side note: I have also installed pam_gnupg to automatically unlock my gpg passphrase and it doesn’t work with autologin either, but it does when I do login to a gdm session.