Gpg / ssh / gnome keyring recommendation

Hi there.

I’m running sway with greetd and I’ve been running into all kinds of issues around gnome keyring, ssh keys, etc.

I’m looking for recommendations/clarification on the following:

  • gnome keyring: home manager or nix config options? Currently it doesn’t unlock reliably. I think hm is the way to go enabling and setting the components.
  • ssh keys (don’t want to enter password): does adding ssh to the gnome keyring components negate the need for ssh-agent, or gpg-agent with ssh enabled?
  • or do I need to still configure one of the agents?
  • I see options to add greetd to the pam coming, but also sometimes see “login” also added. Not sure if that’s needed.
  • I have been looking at other configurations, and I see people combining all the above, and then at times also adding eval for the keyring daemon, sometimes setting env vars, etc. what’s “actually” needed?

I appreciate the clarification. :+1:

Here are a few more details:

  • I disabled ssh-agent as I want to use the ssh-agent built into gnome keyring
  • I have my keyring unlocking
  • sidenote: pretty sure it is working as my 1password 2fa is stored successfully
  • I can see the gnome keyring ssh-agent auto loading my keys from my ~/.ssh folder as expected (when I look in seahorse)
  • SSH_AUTH_SOCK is properly set to /run/user/1000/keyring/ssh
❯ echo $SSH_AUTH_SOCK
/run/user/1000/keyring/ssh
  • according to the arch wiki, ssh-add should still work, but it is not.
❯ ssh-add ~/.ssh/id_ed25519
Error connecting to agent: No such file or directory
  • The same wiki also mentions using /usr/lib/seahorse/ssh-askpass my_key to add it permanently. But when using the ssh-askpass on nixos, it prompts for the password, but then just exists, and echos the entered password in my terminal.

Any suggestions?

I am wondering if it is related to the GCR changes in gnome keyring. Trying to build out the service and socket files.

Did you get to the bottom of this? I have a similar setup and issue.

Unfortunately, no. I had to revert to Gnome for now while I continued to work on the setup. I needed it to " just work."

I am pretty convinced gnome keyring is just packaged without ssh support these days, but doesn’t fail in a very clear way that would convey it.

Could be, but does work under Gnome.

I just got gnome-keyring working with ssh and lazygit. Running hyprland and greetd. Here are my notes:

Check relevant environment variables. My vars look like this with the working config.
$ env | grep SSH
SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
SSH_ASKPASS=

Make sure the remote connections’ URL starts with ssh instead of https:
git remote -v

If it isn’t set to ssh, set it to ssh with the following:
git remote set-url origin git@github.com:YOUR_GIHUB_USERNAME/YOUR_REPO_NAME.git

Start the ssh-agent in the background:
eval “$(ssh-agent -s)”
Agent pid 109777 #agent is running

Add your ssh private key to the ssh-agent:
ssh-add $HOME/.ssh/id_rsa

Add ssh-agent plugin to my bash/zsh:
plugins=(git ssh-agent)

Source the config:
source $HOME/.bashrc or $HOME/.zshrc

Nix Config

programs.seahorse.enable = true;
services.gnome.gnome-keyring.enable = true;
security.pam.services = {
  greetd.enableGnomeKeyring = true;
  greetd-password.enableGnomeKeyring = true;
  login.enableGnomeKeyring = true;
  };
};
services.dbus.packages = [ pkgs.gnome-keyring pkgs.gcr ];

Check if the daemon is running in btop/htop:
/run/wrappers/bin/gnome-keyring-daemon --start --foreground --components=secrets

Per reddit, if the daemon isn’t running, add the following:

    services.xserver = {
      displayManager.sessionCommands = ''
        eval $(gnome-keyring-daemon --start --daemonize --components=ssh,secrets)
        export SSH_AUTH_SOCK
      '';

If the daemon is running, you may only need to add:

    services.xserver = {
      displayManager.sessionCommands = ''
        export SSH_AUTH_SOCK
      '';

You can also add eval $(/run/wrappers/bin/gnome-keyring-daemon --start --components=ssh) to your shell init script or start it separately with a systemd user service.

Lastly, configure git per the wiki below. Also good to reboot before testing to make sure all your changer were loaded correctly. Good luck, brave traveler.

Useful links:

Guide to setup & restore ssh keys
NixOS Wiki: Git
Arch Wiki: SSH
Arch Wiki: gnome-keyring

Not yet. But hopefully, it will in 25.05:

3 Likes