You can now find this project at codeberg instead.
Script to unlock gnome keyring using password from stdin. This can be used for example to unlock gnome-keyring when using fingerprint to login.
read password
./unlock.py <<<$passwordFirst you need to set up the encrypted password file. You will need to install clevis. I'm using doas, but you can replace with sudo.
The required configurion for doas is (replace USERNAME with your user):
permit nopass USERNAME as tss cmd /usr/bin/clevis-encrypt-tpm2
permit nopass USERNAME as tss cmd /usr/bin/clevis-decrypt-tpm2
To setup the encrypted password file, run:
read password
doas -u tss /usr/bin/clevis-encrypt-tpm2 '{"pcr_ids":"7"}' <<<$password > ~/.config/gnome-keyring.tpm2Then to unlock you can run:
doas -u tss /usr/bin/clevis-decrypt-tpm2 < .config/gnome-keyring.tpm2 | ./unlock.pyIf you are using fingerprint and/or fido2 to log in instead of password,
gnome keyring will not be unlocked.
Copy unlock.py to ~/bin and put the following in ~/.bash_profile
if using bash or ~/.zprofile if using zsh:
if [ -f ~/.config/gnome-keyring.tpm2 ]
then
if ! [ -S /run/user/$UID/keyring/control ]
then
gnome-keyring-daemon --start --components=secrets
fi
doas -u tss /usr/bin/clevis-decrypt-tpm2 < .config/gnome-keyring.tpm2 | ~/bin/unlock.py
fi