Gpg / ssh / gnome keyring recommendation

brnix · July 8, 2024, 8:11am

Hi there.

I’m running sway with greetd and I’ve been running into all kinds of issues around gnome keyring, ssh keys, etc.

I’m looking for recommendations/clarification on the following:

gnome keyring: home manager or nix config options? Currently it doesn’t unlock reliably. I think hm is the way to go enabling and setting the components.
ssh keys (don’t want to enter password): does adding ssh to the gnome keyring components negate the need for ssh-agent, or gpg-agent with ssh enabled?
or do I need to still configure one of the agents?
I see options to add greetd to the pam coming, but also sometimes see “login” also added. Not sure if that’s needed.
I have been looking at other configurations, and I see people combining all the above, and then at times also adding eval for the keyring daemon, sometimes setting env vars, etc. what’s “actually” needed?

I appreciate the clarification.

brnix · July 8, 2024, 7:11pm

Here are a few more details:

I disabled ssh-agent as I want to use the ssh-agent built into gnome keyring
I have my keyring unlocking
sidenote: pretty sure it is working as my 1password 2fa is stored successfully
I can see the gnome keyring ssh-agent auto loading my keys from my ~/.ssh folder as expected (when I look in seahorse)
SSH_AUTH_SOCK is properly set to /run/user/1000/keyring/ssh

❯ echo $SSH_AUTH_SOCK
/run/user/1000/keyring/ssh

according to the arch wiki, ssh-add should still work, but it is not.

❯ ssh-add ~/.ssh/id_ed25519
Error connecting to agent: No such file or directory

The same wiki also mentions using /usr/lib/seahorse/ssh-askpass my_key to add it permanently. But when using the ssh-askpass on nixos, it prompts for the password, but then just exists, and echos the entered password in my terminal.

Any suggestions?

brnix · July 8, 2024, 8:03pm

I am wondering if it is related to the GCR changes in gnome keyring. Trying to build out the service and socket files.

yonson · August 16, 2024, 5:03am

Did you get to the bottom of this? I have a similar setup and issue.

brnix · August 17, 2024, 4:50am

Unfortunately, no. I had to revert to Gnome for now while I continued to work on the setup. I needed it to " just work."

yonson · August 19, 2024, 3:05am

I am pretty convinced gnome keyring is just packaged without ssh support these days, but doesn’t fail in a very clear way that would convey it.

brnix · September 16, 2024, 10:38pm

Could be, but does work under Gnome.

guttermonk · March 24, 2025, 10:59pm

I just got gnome-keyring working with ssh and lazygit. Running hyprland and greetd. Here are my notes:

Check relevant environment variables. My vars look like this with the working config.
$ env | grep SSH
SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
SSH_ASKPASS=

Make sure the remote connections’ URL starts with ssh instead of https:
git remote -v

If it isn’t set to ssh, set it to ssh with the following:
git remote set-url origin git@github.com:YOUR_GIHUB_USERNAME/YOUR_REPO_NAME.git

Start the ssh-agent in the background:
eval “$(ssh-agent -s)”
Agent pid 109777 #agent is running

Add your ssh private key to the ssh-agent:
ssh-add $HOME/.ssh/id_rsa

Add ssh-agent plugin to my bash/zsh:
plugins=(git ssh-agent)

Source the config:
source $HOME/.bashrc or $HOME/.zshrc

Nix Config

programs.seahorse.enable = true;
services.gnome.gnome-keyring.enable = true;
security.pam.services = {
  greetd.enableGnomeKeyring = true;
  greetd-password.enableGnomeKeyring = true;
  login.enableGnomeKeyring = true;
  };
};
services.dbus.packages = [ pkgs.gnome-keyring pkgs.gcr ];

Check if the daemon is running in btop/htop:
/run/wrappers/bin/gnome-keyring-daemon --start --foreground --components=secrets

Per reddit, if the daemon isn’t running, add the following:

    services.xserver = {
      displayManager.sessionCommands = ''
        eval $(gnome-keyring-daemon --start --daemonize --components=ssh,secrets)
        export SSH_AUTH_SOCK
      '';

If the daemon is running, you may only need to add:

    services.xserver = {
      displayManager.sessionCommands = ''
        export SSH_AUTH_SOCK
      '';

You can also add eval $(/run/wrappers/bin/gnome-keyring-daemon --start --components=ssh) to your shell init script or start it separately with a systemd user service.

Lastly, configure git per the wiki below. Also good to reboot before testing to make sure all your changer were loaded correctly. Good luck, brave traveler.

Useful links:

Guide to setup & restore ssh keys
NixOS Wiki: Git
Arch Wiki: SSH
Arch Wiki: gnome-keyring

jtojnar · March 25, 2025, 8:04am

Not yet. But hopefully, it will in 25.05:

github.com/NixOS/nixpkgs

Replace gnome-keyring ssh-agent by gcr and implement NixOS module

NixOS:master ← nezia1:replace-gnome-keyring-with-gcr

opened 01:18AM - 06 Feb 25 UTC

nezia1

+46 -12

This PR effectively deprecates `gnome-keyring`, in favor of `gcr`, that has been… [deprecated since version 1.46.0](https://gitlab.gnome.org/GNOME/gnome-keyring/-/commit/25c5a1982467802fa12c6852b03c57924553ba73). A new option has been added under `services.gnome.gcr-ssh-agent.enable` in order to set it up. Fixes #140824 - `gcr_4` has been updated to build with the ssh agent - `gnome-keyring` has been updated to completely remove the now deprecated ssh component - An option has been added, under `services.gnome.gcr-ssh-agent.enable`, which effectively sets up systemd services and `SSH_AUTH_SOCK` Since this PR adds a GNOME module, I also want to make sure the GNOME team approves of it.  ## Things done - Built on platform(s) - [x] x86_64-linux - [ ] aarch64-linux - [ ] x86_64-darwin - [x] aarch64-darwin - For non-Linux: Is sandboxing enabled in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - [ ] `sandbox = relaxed` - [ ] `sandbox = true` - [x] Tested, as applicable: - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - and/or [package tests](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests) - or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test) - made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage) - [x] Tested basic functionality of all binary files (usually in `./result/bin/`) - [25.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) Release notes) - [ ] (Package updates) Added a release notes entry if the change is major or breaking - [ ] (Module updates) Added a release notes entry if the change is significant - [ ] (Module addition) Added a release notes entry if adding a new NixOS module - [x] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).  --- Add a :+1: [reaction] to [pull requests you find important]. [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [pull requests you find important]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc