How to edit /etc/pam.d/sddm to unlock gnome-keyring at login


New Member
Jan 20, 2021
Reaction score
Hi, I have Mailspring on Kubuntu 21.04, but every time I open it a popup appears asking the keyring password. After some research I found that the issue is that SDDM doesn't automatically unlock gnome-keyring at login (even with auto-login disabled), but it can be fixed by editing "/etc/pam.d/sddm" configuration file. I also know that editing that file wrongly can lock you out of your system, so I want to do it after being sure of what I am doing. This is the content of my sddm configuration file:


# Block login if they are globally disabled
auth    requisite
auth    required user != root quiet_success

# auth    sufficient user ingroup nopasswdlogin
@include common-auth
# gnome_keyring breaks QProcess
-auth   optional
-auth   optional

@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] close
# Create a new session keyring.
session optional force revoke
session required
session required
@include common-session
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] open
-session optional auto_start
-session optional auto_start

@include common-password

# From the pam_env man page
# Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack.

# Load environment from /etc/environment
session required

# Load environment from /etc/default/locale and ~/.pam_environment
session required envfile=/etc/default/locale user_readenv=1

I see that gnome-keyring is already mentioned in 2 lines:

-auth   optional


-session optional auto_start

How can I edit it to make it unlock gnome-keyring at login? I just have to remove the "-" before those 2 lines or there is something else I have to do? Thanks in advance!

From what little I understand that is, even with PAM starting it at login, you still have to add a line for it to ~/.xprofile or a similar script that's running at start-up of your desktop. In order for the gnome keyring to login and gnome keyring has 3 rings to unlock secrets, ssh, and pkcs11 which is usually located here /etc/xdg/autostart/ but I do believe manipulating it will probably cause the daemon to crash. My advice would be not to do it.
You can:
1. Type, and confirm a password.
2. Ignore; don’t enter any password and hit continue instead, it'll warn you about that, hit continue again. This way, the keyring will have no password and will remain unlocked all the time, so it won't ask you for a password.