keyring isn't being unlocked at login, so apps can't access stored credentials and create new keyrings instead

[KrisKind75]

System details

Omarchy 3.1.7 ROG Zephyrus G16 GU605MZ_GU605MZ (1.0)

What's wrong?

[KrisKind75]

1 app after reboot always tries to make a new default keyring. Also 1Password needs 2-f authentification everytime for r/w.

[KrisKind75]

[ihazucha]

Did following to resolve:

1. Delete all existing keyrings and default (clear the folder)
2. Run:

bash .local/share/omarchy/install/login/default-keyring.sh

3. Check if SDDM service is running:

sudo systemctl status sddm.service

4. If no, run:

bash .local/share/omarchy/install/login/sddm.sh

5. Restart

The inconsistency most likely occured after update 3.1.0, if the keyrings have been tackled with. Didn't look further into it, but probably has something to do with the default keyring created using some manager like Seahorse, or the one created upon request by apps, that collided with the one created during install and unlocked by SDDM

[KrisKind75]

Thanks for the wonderfull reply! In my case it seems that sddm is not unlocking the keyring with the user password. I solved it by leaving the password blank.

[madebynoxc]

Looks like I have the exact same sddm issue. In my case, I get a request to enter the keyring password right after startup since proton bridge requests it. However, if I set keyring password to empty, I get a request for a new keyring password instead, just like you did.
Did you set password to empty just for keyring or for your Omarchy user?

[KrisKind75]

Only for the keyring, my omarchy user has a password

[4ndri]

I had a similar issue, apps always tried to create a new keyring. The reason was a corrupt entry in default keyring (caused by a proton app "proton-vpn-gtk-app", "proton-pass" or "proton-mail"). I removed the keyring entry and apps and it worked again.

[KrisKind75]

I did a fresh install of Omarchy, but as soon as i installed brave, the same problem occurred. Then i removed brave including the keyring entries and the ~/.config/brave-* dir and it worked again. Sounds similar to your experience with the proton app.

[KrisKind75]

BTW did u get the proton vpn working? i could get it working neither with the app nor with the new cli. I had to go the manual route with the wg command. Would be also thankful for advise regarding proton mail (I am using the web app for now).

[4ndri]

in this comment, the same issue with brave is mentioned: #3523 (reply in thread)

Unfortunately I couldn't get proton-vpn to work, have to use manual wireguard too. I haven't tried proton mail. But proton-pass-cli and proton-pass ui app (electron) works with keyring workaround (#3331 (comment)).

[brokenm7]

I managed to make ProtonVPN work with this repo https://github.com/blank-query/lazyVPN-for-Omarchy
no other packages were used

[thunderbird-93]

I think I have found a solution. Feel free to critique and offer improvements. It appears that unencrypted gnome-keyring uses ini file format. Some apps, Proton (VPN, Bridge) being notorious, store multi-line secrets. This renders keyring file unreadable by gnome-keyring. Vast majority of Linux users stick with encrypted keyring that unlocks with login password. Encrypted keyring format is not susceptible to the issue. Since Omarchy uses passwordless autologin we hit a corner case.

Here's how to switch to encrypted keyring that automatically unlocks on autologin. This solves keyring file corruption issue.

---

The Logic

Since your entire root filesystem (including /etc and /root) is encrypted by LUKS:

1. Any file stored on your hard drive is physically secured by your LUKS password.
2. The file cannot be read until you type your LUKS password at boot.
3. Once the kernel boots and mounts the drive, Root can read the file.

---

Step 1: Create the Secret Keyfile

We will generate a strong, random password and save it to a file that only Root can read.

1. Generate the key and save it to /etc/keyring_secret:

   # Generate 32 bytes of random data, base64 encoded, save to file
   sudo sh -c 'openssl rand -base64 32 > /etc/keyring_secret'

2. Lock down permissions:

   # Ensure ONLY root can read/write this.
   sudo chmod 600 /etc/keyring_secret
   sudo chown root:root /etc/keyring_secret

Step 2: Set GNOME Keyring to use this Secret

You need to update your keyring to use the content of that file as its password.

1. Read the secret so you can copy it:

   sudo cat /etc/keyring_secret

2. Select it and copy to clipboard
3. Open Passwords and Keys (Seahorse). Install if not present.
4. Right-click Login keyring -> Change Password.
5. Enter your old password (should be blank by default).
6. Paste the long string you copied as the New Password.

Step 3: Create the Unlock Script

Create and edit /usr/local/sbin/unlock-keyring-secure.sh:

#!/bin/bash

# Define your user and UID (1000 is the most common)
TARGET_USER="your_username"
USER_UID=1000
SECRET_FILE="/etc/keyring_secret"

# 1. Read the password from the locked-down file
# Only root can run this script, and only root can read that file.
if [ -f "$SECRET_FILE" ]; then
    PASS=$(cat "$SECRET_FILE")
else
    echo "Keyring secret file not found!"
    exit 1
fi

# 2. Inject into the user's keyring daemon
if [ -n "$PASS" ]; then
    runuser -u "$TARGET_USER" -- env XDG_RUNTIME_DIR="/run/user/$USER_UID" \
    sh -c "echo -n '$PASS' | gnome-keyring-daemon --unlock"
fi

Step 3.1: Make script executable

sudo chmod +x /usr/local/sbin/unlock-keyring-secure.sh

Step 4: Create and enable unlock service

/etc/systemd/system/keyring-unlock-root.service:

[Unit]
Description=Unlock User Keyring via Root File
# Wait until the user session is theoretically ready
After=user-runtime-dir@1000.service
Requires=user-runtime-dir@1000.service

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/unlock-keyring-secure.sh
User=root

[Install]
WantedBy=multi-user.target

Enable it:

sudo systemctl daemon-reload
sudo systemctl enable keyring-unlock-root.service

You may still be asked to unlock keyring at the next reboot. Copy password by running
bash sudo cat /etc/keyring_secret
Then tick autounlock on login box.

Profit!

[4ndri]

worked for me, thanks!

[KrisKind75]

thanks so much! worked for me too. Small comments: had to make /usr/local/sbin/unlock-keyring-secure.sh executable sudo chmod +x /usr/local/sbin/unlock-keyring-secure.sh. Plus if any1 comes from a fresh install you need to create a new keyring file name "Login" and make it default (either by rightclicking->Set as Default in a gui such as seahorse or by editing the file default in /home/user/.local/share/keyrings). The keyring file "Default Keyring" wont work.

[lukehowson]

Worked for me. Many thanks.

[NicolasDorier]

I found a workaround for brave I documented on #4302 (--password-store=basic)
However, have still issue with Ente Auth.

I will try what is commented here #3331 (comment)