If you’ve used the automatic login feature in Ubuntu or any other Linux distribution, you’ve probably encountered a pop-up message like this:

Please enter your password to unlock your login keyring

The login keyring was not unlocked when you logged on to the system.

If you keep clicking cancel, it will pop up several times before it disappears. You might be wondering, why do you keep seeing this keyring message?

Let me tell you. It’s not really a bug, it’s a security feature.

Strange? Let me explain the concept of keyring in Linux.

What is a keyring in Linux? Why is it needed?

Why do you use a key ring in real life? You use it to string together one or more keys for easy carrying and searching.

It’s similar in Linux. The keyring feature allows your system to put various passwords together and keep them in one place.

Most Linux desktop environments, such as GNOME, KDE, Xfce, etc., use GNOME keyrings to provide this functionality.

This key contains SSH keys, GPG keys, and keys for applications that use this feature (such as Chromium browser). By default, the keyring is protected by a master password, which is usually the login password for the account.

Each user on the system has his or her own keyring, with (usually) the same password as the user account itself. When you log in with a password, your keyring will unlock automatically using your account password.

There is a problem when you enable automatic login in Ubuntu. This means you don’t need to enter a password to log in. In this case, your keyring will not unlock automatically.

A key ring is a security feature

Remember I said the keyring is a security feature? Now imagine that you have automatic login enabled on your Linux computer. Anyone with access to your computer can get into your system without a password. But you probably won’t care because you’re just using it to access the Internet.

However, if you use a browser like Chromium or Google Chrome in Ubuntu and use it to save login passwords to various websites, you’re going to run into trouble. Anyone can use a browser and log in using the password you saved in the browser. Isn’t it dangerous?

That’s why when you use Chrome, it will repeatedly prompt you to unlock the keyring first. This ensures that only those who know the keyring password (that is, the account password) can use the password saved in the browser to log in to their associated sites.

If you repeatedly cancel the prompt to unlock the keyring, it will eventually disappear and allow you to use the browser. However, saved passwords will not be unlocked and you will see “sync pause” on the Chromium/Chome browser.

If the keyring has always existed, why have you never seen it?

If you’ve never seen it on your Linux system, this is a fair question.

If you’ve never used automatic login (or changed your account password), you probably didn’t even realize it existed.

This is because when you log in with your password, your keyring is automatically unlocked by your account password.

Ubuntu (and other distributions) require passwords to perform common administrative tasks such as changing users, installing new software, etc., whether you are automatically logged in or not. But for everyday tasks like using a browser, it doesn’t need to enter a password because the keyring is already unlocked.

When you switch to automatic login, you no longer need to enter a login password. This means that the keyring is not automatically unlocked, so when you use a browser that leverages the keyring feature, it will prompt you to unlock the keyring.

You can easily manage keyrings and passwords

Where is the keyring? At its heart is a daemon task (a program that runs automatically in the background).

Don’t worry about it. You don’t need a terminal to operate daemon tasks. Most desktop environments come with a graphical application that can interact with this daemon. There are KDE wallets on KDE, GNOME and other desktops called “Passwords and Keys” (formerly Seahorse).

You can use this GUI program to see which applications are using keyrings to manage/protect passwords.

As you can see, my system has an automatic login keyring. There is also a keyring for storing GPG and SSH keys. That certificate is used to hold certificates issued by certificate authorities (such as HTTPS certificates).

You can also use this app to manually save passwords for websites. For example, I created a new password-protected keyring called “Test” and manually stored a password.

This is better than keeping a batch of passwords in a text file. At least in this case, your password is only allowed to be seen if you unlock the keyring with your password.

There is a potential problem here, if you format your system, manually saved passwords will inevitably be lost. Usually, you will back up your personal files, but not all user-specific data, such as keyring files.

There is a way to solve it. Key ring data is usually stored in ~/. Local /share/keyrings. Here you can see all the keyrings, but you can’t see their contents directly. If you remove the password from the keyring (which I’ll describe later in this article), you can read the contents of the keyring just like a normal text file. You can copy the unlocked keyring file in its entirety and import it by running the Password and Keys application on another Linux machine.

To summarize what we’ve learned so far:

  • Most Linux systems have the keyring feature installed and enabled by default
  • Each user on the system has his own keyring
  • The keyring is usually locked with the account password.
  • The keyring is automatically unlocked when you log in with a password
  • For automatic login, the keyring will not be unlocked automatically, so you will be prompted to unlock it first when you try to use an application that relies on the keyring
  • Not all browsers or applications take advantage of the keyring feature
  • Install a GUI program that interacts with the keyring
  • You can use a keyring to manually store passwords in encrypted format
  • You can change the keyring password yourself
  • You can retrieve manually saved passwords by exporting them (unlocking the keyring first) and importing them to another computer.

Example Change the password of a key ring

Suppose you change your account password. When you log in, your system tries to unlock the keyring automatically with the new login password. But the keyring still uses the old login password.

In this case, you can change the keyring password to the new login password so that the password ring is automatically unlocked when you log in to the system.

Open the Password and Keys application from the menu:

Right-click on the “Login” key ring and click “Change Password” :

What if you can’t remember your old login password?

You probably know how easy it is to reset a forgotten password on Ubuntu. But the keyring is problematic in this scenario. You have changed the account password, but you cannot remember the old account password that is still used by the keyring.

You can’t change it because you don’t know the old password. How to do?

In this case, you will have to remove the entire keyring. You can do this with the Password and Key app:

It prompts you to confirm:

Alternatively, you can manually delete the keyring files in ~/. Local /share/keyrings.

When you open Chrome/Chromium again after the old keyring file has been removed, it will prompt you to create a new keyring.

You can use the new login password and the keyring will be unlocked automatically.

Disable keyring password

You can disable keyring passwords as a way of getting around this if you want to use automatic login but don’t want to manually unlock the keyring. Remember that you are disabling a security feature, so think again.

The procedure is similar to modifying a key ring. Open the Password and Keys application, and change the keyring password.

The trick is not to enter a new password when it prompts you to change it, but to click the “Continue” button. This removes the password for the keyring.

This way, the key ring is not password protected and will remain unlocked.


Via: itsfoss.com/ubuntu-keyr…

By Abhishek Prakash (Lujun9972

This article is originally compiled by LCTT and released in Linux China