How to disable GNOME Keyring on GNOME desktop

Last updated on November 15, 2020 by Dan Nanni

Question: I am trying to use gpg-agent for SSH authentication when my key is on a separate USB security key card. However, I notice that when I log in to my GNOME desktop, gnome-keyring-daemon is already running, which appears to interfere with gpg-agent. How can I disable GNOME keyring on my Linux desktop?

GNOME Keyring is a daemon program which caches user's secret keys, login credentials and certificates, and makes them available to other applications requesting them according to the GnuPG protocol. Essentially GNOME Keyring plays the same role as gpg-agent, but is active only within GUI desktop sessions. GNOME Keyring also implements SSH agent protocol for SSH authentication to replace ssh-agent.

The problem is that GNOME Keyring's implementation for the GnuPG and SSH agent protocols is not complete. For example, unlike gpg-agent, GNOME Keyring cannot retrieve keys from smart card hardware. Thus when GNOME Keyring hijacks the connection to gpg-agent, a user is left with no available key when the key is stored in the smart card. Also, you cannot make GNOME Keyring load SSH keys selectively.

On your GNOME/Unity desktop, if you want to rely on the original gpg-agent or ssh-agent, instead of GNOME Keyring, for all security operations, here is how you can disable GNOME Keyring permanently for a particular user.

First, copy the original desktop files for GNOME Keyring to ~/.config/autostart.

$ cd /etc/xdg/autostart
$ cp gnome-keyring-gpg.desktop gnome-keyring-ssh.desktop ~/.config/autostart

Then open each of these files with a text editor, and add the following line.

X-GNOME-Autostart-enabled=false

Log out and log back in to finalize.

Now GNOME Keyring should be deactivated for the logged-in user, and gpg-agent will manage the user's keys. When gpg-agent needs to ask the user for a GPG key passphrase, it will use a pinentry program (e.g., pinentry-gtk, pinentry-curses, etc) instead.

Obviously if you want to disable GNOME-Keyring system-wide, you can make the above change directly in the original desktop files (/etc/xdg/autostart/gnome-keyring-*.desktop).

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal (Credit Card) or Bitcoin (BTC Wallet: 1M161JGAkz3oaHNvTiPFjNYkeABox8rb4g).

Xmodulo © 2020 ‒ About ‒ Powered by DigitalOcean