If you use a barebones system without a graphical greeter or a DE like Gnome or KDE, you might run into a situation where a program you want to use requires a secrets daemon. Here's how to set one up. I did it with Void Linux and Sway.
Installing the right packages
libgnome-keyring. Install them with your respective package manager.
Telling PAM to start the gnome-keyring daemon
This method allows you to unlock the keyring right when you login, so you won't have to enter your password again. To do this, open
/etc/pam.d/login as root, and Add
auth optional pam_gnome_keyring.so at the end of the
auth section and
session optional pam_gnome_keyring.so auto_start at the end of the
After these changes, my
login file looks like this:
password optional pam_gnome_keyring.so to the end of
/etc/pam.d/passwd. After this change, my
passwd file looks like this:
And that's it!
Launching your WM
Last few thing – you need to run your WM with
dbus-run-session, and you need to execute
eval $(gnome-keyring-daemon --start --components=gpg,pkcs11,secrets,ssh | sed 's/^(.*)/export \1/g') before you launch it, so the best option is to use a launcher script; let's have a look at what it looks like for me, keeping in mind I'm using Sway:
I still launch it like
dbus-run-session <my script>, but you could
dbus-run-session from inside this script as well. Also, I don't have anything secrets related in my Sway config.
Don't forget to
dbus-run-session, or you'll have the
unknown or unsupported transport disabled for address disabled error!
If you get
cannot create an item in a locked collection, you need to avoid launching the keyring daemon from other sources. It should only be launched once – and that's automatically done when you log in.
You can ask
git to use the secrets daemon so that your tokens are no longer stored in
git config --global credential.helper libsecret
If that does not seem to work, try –
git config --global gpg.program gpg2
Until next time!