How to disable the keyring for SSH and GPG?
How to disable the keyring for SSH and GPG ?
I would like to keep the keyring for the wifi and other stuff. I'm using Ubuntu 12.04.
First duplicate the file /etc/xdg/autostart/gnome-keyring-ssh.desktop
into ~/.config/autostart/
.
Then edit ~/.config/autostart/gnome-keyring-ssh.desktop
in order to remove the following line:
NoDisplay=true
and to add the following line at the end:
X-GNOME-Autostart-enabled=false
This should disable SSH management when you restart your session.
To disable GPG, do the same with the file /etc/xdg/autostart/gnome-keyring-gpg.desktop
.
In a terminal session (using Ctrl-Alt-T) you can stop the gnome-keyring process from working with ssh by using:
unset SSH_AUTH_SOCK
The --no-use-agent
option is available to gpg to avoid using the gnome-keyring process with gpg, however that is the default.
You can stop the nautilus seahorse-tool from using the gpg-agent by using:
rm `echo $GPG_AGENT_INFO | sed s/:0:1//`
You can stop the gnome-keyring process completely with the command:
kill $GNOME_KEYRING_PID
Each of the above actions is restored by logging in again.
Wifi passwords available to all userids are stored in the /etc/NetworkManager/system-connections/
directory rather than being stored in your gnome keyring, so they can remain available if you kill the gnome-keyring process.
The ssh-add
command can be used to delete (or add) specific keys from/to the current gnome-keyring while the keyring process is running.
Individual key passwords can be deleted from the login or other keyring using the Passwords
tab of the Passwords and Keys
program (seahorse).
If the gnome-keyring isn't present, ssh-agent will still be running, but it doesn't store gpg keys.
There are two lines in /etc/pam.d/lightdm
involved with saving the login password and starting the gnome-keyring-daemon with the login keyring unlocked with the login password. The second starts the daemon:
session optional pam_gnome_keyring.so auto_start
Commenting out just this line would stop it from starting for all sessions of all users of your system using the login password to unlock the login keyring.
/etc/xdg/autostart/
contains start entries for various categories of secrets gnome-keyring can handle. To stop the daemon from starting these components these files can be moved out of this directory. You can move all the gnome-keyring-* files to stop the daemon from starting or can simply refuse to supply the login password again to disable the login keyring while leaving the daemon running.
To stop gnome-keyring from starting its (broken) SSH agent on Ubuntu 16.04:
mkdir ~/.config/upstart || true
echo manual > ~/.config/upstart/gnome-keyring-ssh.override
# This step can be done with the gnome-session-properties tool
mkdir ~/.config/autostart || true
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart
echo 'X-GNOME-Autostart-enabled=false' >> ~/.config/autostart/gnome-keyring-ssh.desktop
With current version of Ubuntu, changing the .desktop
file mentioned in other answers is not sufficient anymore. An additional upstart job was added that also starts gnome-keyring-daemon
. The file is located in /usr/share/upstart/sessions/gnome-keyring.conf
and contains:
eval "$(gnome-keyring-daemon --start)" >/dev/null
initctl set-env --global SSH_AUTH_SOCK=$SSH_AUTH_SOCK
initctl set-env --global GPG_AGENT_INFO=$GPG_AGENT_INFO
Here the daemon needs to be restricted to only provide some services by adding --components=pkcs11,secrets
to the command line. The initctl
lines can also be removed, resulting in:
eval "$(gnome-keyring-daemon --start --components=pkcs11,secrets)" >/dev/null