LinuxCommandLibrary

gnome-keyring-daemon

Manages user secrets and keys

SYNOPSIS

gnome-keyring-daemon [options] [keyring-names]...

PARAMETERS

--components=COMPONENTS
    Comma-separated list of components to load (e.g., pkcs11,secrets,ssh)

--daemonize
    Fork into background (daemon mode)

--dir=DIR
    Use keyrings in directory DIR instead of default

--login
    Use 'login' keyring; create if missing

--replace
    Replace any running daemon instance

--start
    Start daemon and print socket paths to stdout

--single-process
    Run all components in single process (debugging)

--unlock
    Unlock specified keyring on startup

--verbose
    Enable debug logging

DESCRIPTION

The gnome-keyring-daemon is a background process in the GNOME desktop environment that securely stores and retrieves user secrets, such as passwords, SSH keys, certificates, and encryption keys. It implements the Secret Service DBus API and supports multiple components like PKCS#11 for hardware tokens and SSH agent emulation.

It maintains collections called 'keyrings' (e.g., 'login', 'default', 'session'), typically unlocked automatically at login via PAM integration (pam_gnome_keyring). Applications access it via DBus, ensuring secrets are protected by the user's login password or blank for session keyrings.

Launched automatically by GNOME Session or PAM, it handles secret storage in ~/.local/share/keyrings using GPG-encrypted files. Supports unlocking via passwords, PK11 tokens, or FIDO2. Designed for desktop integration, it's not a general-purpose secret manager like systemd credential agents.

Key features include multi-process isolation, per-session keyrings, and compatibility with tools like seahorse for GUI management. It's essential for GNOME apps like Evolution, Firefox (via NSS), and git credential helpers.

CAVEATS

Requires DBus session bus; insecure if run as root; session keyrings unencrypted; vulnerable to keylogger if unlocked password reused.

COMPONENTS

Supported: pkcs11 (tokens), secrets (DBus service), ssh (SSH agent), p11-kit-proxy (proxy), fido2 (security keys).

KEYRINGS

'login' (PAM-unlocked), 'default', 'session' (temp). Stored as GPG files; list with secret-tool search --all.

HISTORY

Introduced in GNOME 2.6 (2005) as evolution of SSH key agent; rewritten for GNOME 3 with DBus API; actively maintained in GNOME 40+ with FIDO2 support.

SEE ALSO

seahorse(1), gnome-keyring(7), ssh-agent(1), pkcs11(7)

Copied to clipboard