Automatic Keyring Authentication on Bootup

On my Ubuntu PC, when the login password is entered upon bootup, the keyring authentication automatically uses my login password to satisfy the keyring’s need for a password. So unless I break something, I never need to see or think about the keyring password on my Ubuntu PC. In Ubuntu, the keyring apparently snatches your password that you enter upon login as you login and is satisfied after that, without ever asking you to enter it manually.

On the Librem 5, the keyring requires a password to be entered manually, every time I login. With three times of needing to enter a password just to boot the phone up, this can be a little bothersome and needlessly redundant.

So I installed seahorse in to the Librem 5. Now I can see all of the keys on my Librem 5 using seahorse. What I see there in the way of authentication components, looks the same as it does on my Ubuntu PC. But I am not an expert in this area and might be missing something. Upon bootup on the Librem 5, you’ll see that an application is requesting keyring authentication. That is the third time you have to enter a password when booting the Librem 5. Does anyone here know how to tell that application (whichever that application is) that needs the password, to use the login password without asking me to enter the password manually, for a third time? Either that inquiring application is not looking at the keyring on its own, or the keyring is not automatically using the login password to satisfy its own password requirements. I don’t know which is the case here.

This seems like it should be easy to fix for someone who knows how to do it. This would reduce the number of times of entering the password upon bootup on the Librem 5, to only entering the password twice. In an effort to get a remote X display from the Librem 5 to my PC, working on my Ubuntu PC, I accidentally damaged my .Xauthority file on the PC, which locked my login profile out of the operating system. I got back in by logging in as another user and resetting my regular user’s profile’s password from the other user’s login. But when going back in to my regular profile after that, the annoying keyring thing came up every time I did anything as the keyring didn’t have a valid password anymore. I fixed the problem by installing and using seahorse. I deleted the Default key and created a new Default key with an identical password to my login password. Then after I rebooted the second time, I found that the keyring automatically discovered the newly valid keyring password and quit bothering me to enter it manually after that, even on all future booting and rebooting. But in the Librem 5, I don’t know how to tell the keyring to look at the login password instead of asking me for it, during each boot or reboot. In Ubuntu, the keyring trying and succeeding with the login password is automatic, every time I login. Anyone here know how to tell PureOS how to do the same?

As an interested Librem 5 user who probably doesn’t know how to help you, while we wait for someone more knowledgeable to reply, I’m curious: what do you do with your devices that triggers use of they keyring?

I’ve been using a Librem 5 for texting, calling, web browsing, TOTP, and occasionally to play games I wrote. But I’ve maybe only once seen a request for keyring access, and when I did I canceled it because I didn’t want to deal with it.

I get the keyring password prompt at every power-on, immediately after the main password. I think it’s for Backups, which runs on a schedule. I don’t have any email accounts set up on the phone.

When you use an application that requires any kind of authentication, the application looks to the keyring to get the authentication first. Sometimes the authentication is from a certificate and sometimes the authentication is from a password. Either/both get stored in the keyring. Several different passwords and certificates are or can be stored in the keyring. Think of the keyring like the keyring that holds your physical keys. It’s not a key. It just holds (stores) all of your keys. The keyring does have one key that is required to access any of the keys that it stores. It gets that key when you login. If you deprive that keyring of a valid password, then none of your other keys can be used to authenticate any of your applications. Sometimes, only one key is broken while other keys still work. Some applications work anyway, even with a broken key. But the keyring can be tenacious about asking for a working key, every time it is unable to authenticate an application that requests the authentication. If a rarely-used application is unhappy for lack of authentication, then the keyring will rarely bother you. If every key is broken or if the keyring key is broken, then almost every mouse-click prompts a request for a working key. Some applications (like ssh), won’t work at all if the keyring refuses to authenticate. The keyring itself only needs its password when you start your session (typically on bootup).

To amarok - this is normal behavior for the Librem 5, the way it is shipped.

But this third request for a password is easy to eliminate for those who know how to do it. The default Librem 5 behavior mimics a broken keyring for reasons that are probably related to security but that I want to bypass, if possible. A fully informed Librem 5 owner would probably know how to set their phone up to require three different passwords upon bootup. If I can find a way, one password entry requirement is good enough for me, at least for now.

There is already a bug in Phosh for this: Initial lockscreen should unlock gnome keyring (#397) · Issues · World / Phosh / phosh · GitLab

Me too. In my case I am 99% sure it is because of email. That is, Geary is storing account password(s) in the keyring, as is A Good Thing™ to do. I wish Thunderbird would do that but I digress …

As an aside, this is questionable security. I have chosen not to allow this. Yes, this is a security–convenience trade-off, and one that you are completely free to make.

My understanding is this (as it relates to Ubuntu): there is a default keyring called login and it is unlocked using your login password (because the two passwords must be the same and PAM snatches the login password in order to unlock the keyring, as you say). The login keyring can then hold the passwords for other keyrings, if you so choose, so that logging in can have a cascading effect of allowing the unlocking of any number of keyrings without further user interaction - and any particular keyring may be the keyring that a given application needs.

(The main point about the security consideration is that different keyrings may hold material that has different sensitivity level. If you just unlock everything at login then you are saying that, really, you only need one keyring and all the material therein has the same need for protection. If the material includes passwords for systems that you do not control or administer then it may not be your call to decide what level of protection is appropriate.)

The fact that this keyring unlocking does not happen on the Librem 5 is a known and longstanding limitation.

My understanding of why this is: You never actually log in on the Librem 5. So this can’t ever work, as described above, while the implementation remains as it is. I suspect this is fixable, however.

So, yes, booting my Librem 5 requires 4 passwords (which should be and are all different)

• LUKS disk encryption passphrase
• unlock PIN/password for user purism
• unlock PIN for SIM card
• unlock password for particular keyring (used by Geary)

It could be worse. It could also be requiring the unlock PIN/password for the OpenPGP card (which I have installed but am not currently using it for anything).

Obviously this would be less painful if battery life were better. (That is, if you can keep the phone permanently on then the above pain would be infrequent enough that you might not be concerned about it.)

The liklihood of someone wrestling the phone out of my pocket, or logging in remotely unauthorized are much lower than the liklihood of big tech spying on me. And the liklihood of that on the Librem 5 are next to zero. The liklihood of an experienced cracker getting ahold of my phone are even lower than that. So I see having all of these manual login requirements as a bug, not as a feature. Even if someone gets in to my phone, there is not much there of value to anyone but to me. I don’t do my banking on my Librem 5. I guess that someone really good at circumventing all of the Librem 5 lockouts might get to listen to my Pandora account for free. I use passwords, not certificates to log in to things that I really care about. I just think that for me, more than two passwords to get in to my phone is overkill.

Related:

If you are sure that you want it, you could do it the same way you do it on Ubuntu. Ubuntu uses GNOME Display Manager for login screen. It passes the password to a PAM module that unlocks the default keyring for you. The PAM module seems to be already installed. To achieve what you want, you could install GDM. Some of it dependencies recommend a lot of x11 packages which I do not see necessary. So, here is what worked for me.

$ sudo apt install gdm3 --no-install-recommends

If you reboot now, you will see GDM for a moment, but it will be quickly overtaken by the usual Phosh login screen. Disabling Phosh service helped.

$ sudo systemctl disable phosh

Now, when you reboot, you can login with GDM. If you cannot, fold down the keyboard and touch the icon hiding in the bottom right corner under the screen keyboard. Select Phosh session instead or X11.

When you login via GDM, the default keyring should be unlocked automatically.

What @riabenko describes is the best way to solve this on PureOS.
Mobian solves this by shipping phog, short for “Phone Greeter”, that looks more like Phosh’s unlock thingie. phog is likely going to be replaced by phrog: Phosh: "We did a whole bunch of #Documentation and #GObj…" - Fosstodon (the R is for … Rust!)