UnlockGnomeKeyring.md

Automatically Unlock Gnome Keyring on Login on Pop OS or Ubuntu

For face or fingerprint unlock methods that log in but don't unlock the keyring

This works on Pop OS and probably any Ubuntu based distro

Uses https://codeberg.org/umglurf/gnome-keyring-unlock and https://github.com/tpm2-software/tpm2-tools

Add yourself to the tss group

This is required to use the TPM

sudo usermod -aG tss your_username

log out and back in, and check that you are in the tss group:

groups

Set up Dependencies

sudo apt install tpm2-tools
git clone https://codeberg.org/umglurf/gnome-keyring-unlock.git

Set up TPM keys and context

mkdir -p ~/.tpm && cd ~/.tpm
tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -Gaes128 -u key.pub -r key.priv
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx

Encrypt password

read password
tpm2_encryptdecrypt -c key.ctx -o password.enc <<<$password

Create Unlock Script

Save the following as ~/Scripts/unlockKeyring.sh:

#!/bin/bash
# Load a TPM Context key, decode password and unlock the gnome keyring
tpm2_createprimary -Q -c ~/.tpm/primary.ctx
tpm2_load -Q -C ~/.tpm/primary.ctx -u ~/.tpm/key.pub -r ~/.tpm/key.priv -c ~/.tpm/key.ctx
tpm2_encryptdecrypt -Qd -c ~/.tpm/key.ctx ~/.tpm/password.enc | ~/gnome-keyring-unlock/unlock.py

Make it run on login

Add the following to the end of your ~/.profile:

# Wait 5 seconds then try to unlock the keyring
(sleep 5; ~/Scripts/unlockKeyring.sh &> ~/Scripts/unlockKeyring.log) &

Does this prevent "Evil Maid" like attacks?

The script is there and so if a session is obtained the attacker just need to execute the script. Isn't it? Am I missing something?

@Xwang1976 you are correct - this doesn't prevent evil maid attacks. It is only secure against an attacker who can read the contents of your drive. If the attacker has a session and can execute commands, they may steal your password by decoding it with the TPM.

Thanks to everyone in this thread who has contributed additional ideas and script samples!