Disable GNOME Keyring on Ubuntu

The GNOME Keyring can be really annoying especially when you have never even asked it to track your passwords for you. It can keep popping up over and over each time you kill it. It can be difficult to remove due to how many things depend on the package and the number of different ways in which it can be started.

My fix to disable GNOME keyring on Ubuntu :

• Move the original binary out of the way.
• Create a replacement file that does nothing.
• Make that file executable so things that call it don’t break.
• Reboot to make sure.

sudo mv /usr/bin/gnome-keyring-daemon /usr/bin/gnome-keyring-daemon.bak 
sudo touch /usr/bin/gnome-keyring-daemon
sudo chmod a+rx /usr/bin/gnome-keyring-daemon
sudo reboot

This has worked for me and hasn’t caused any issues yet.

Why? Other Options?

Potential Fixes:

• Disable in systemd ( could still be started by D-Bus or other things )
• Disable / remove D-Bus config ( could still be started by systemd or other things )
• Overwrite the binary ( dirty cheating but effective )
• Remove the gnome-keyring package ( too many things depend on it )
• Use the system settings GUI. ( might work but I’m not even running GNOME and don’t want to mess with it )

You can’t just remove the package because far too much depends on it.

It could be started by:

• D-Bus ( any client that talks to this )
• systemd
• PAM

Why was this hard to find?

• I don’t understand systemd user services well enough.
• The dbus service itself was being launched as a systemd user service.
• The gnome-keyring was being launched directly by dbus instead of directory by systemd.
• There was still a systemd user service for gnome-keyring that was disabled.

What I Checked

When checking systemd for system services related to the keyring nothing is found:

systemctl list-units --type=service | grep -i keyring

Some Googling lead me to the hint that it might be run by dbus as a systemd user service. It turns out that this was actually disabled though. You can check its status like this:

systemctl --user status gnome-keyring

You can find the status for the user instance of D-Bus here. It shows that one of the services running under it is gnome-keyring.

systemctl --user status dbus

D-Bus has configuration files for services in the directory listed below. These files tell D-Bus what to do when a service is requested. These are not systemd config files but may specify which systemd service to launch.

/usr/share/dbus-1/services

D-Bus will launch services when a client requests that a message be sent to that service. It may attempt to start that service even if it is disabled. In the case above it looks like D-Bus was actually calling the gnome-keyring binary directly and not even trying to start the systemd service.

You can see these services:

user1@zippy-zap:~$ ls /usr/share/dbus-1/services|grep keyring
org.gnome.keyring.PrivatePrompter.service
org.gnome.keyring.service
org.gnome.keyring.SystemPrompter.service

They look like this:

user1@zippy-zap:~$ cat /usr/share/dbus-1/services/org.gnome.keyring.service
[D-BUS Service]
Name=org.gnome.keyring
Exec=/usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
user1@zippy-zap:~$ 

More Details on Disabling the GNOME Keyring on Ubuntu

There are two different systemd processes that may start the keyring:

/lib/systemd/systemd –user	systemd proc that launches user services
/sbin/init	top level systemd process (symlink)

There are also at least two different D-Bus instances. There is a system D-Bus instance and a user D-Bus instance. The user instance is what launches the gnome-keyring.

Here is the gnome-keyring-daemon running directory from systemd ( ppid 1 ):

user1@zippy-zap:~$ ps -ef |grep -i ring
user1       1480       1  0 12:27 ?        00:00:00 /usr/bin/gnome-keyring-daemon --daemonize --login
user1       2538    2274  0 12:28 pts/1    00:00:00 grep --color=auto -i ring
user1@zippy-zap:~$ 

Note that init is a symlink pointing to systemd and that this is process 0.

user1@zippy-zap:~$ ps -ef | awk '{ if( $2 == 1 ) { print $8 } }'
/sbin/init
user1@zippy-zap:~$ ls -l /sbin/init
lrwxrwxrwx 1 root root 20 Jul 21 15:00 /sbin/init -> /lib/systemd/systemd
user1@zippy-zap:~$ 

Here is the gnome-keyring running from the systemd proc that launches user services ( ppid 1541 in this case ):

user1@zippy-zap:/usr/share/dbus-1/services$ ps -ef |grep -i gnome-keyring
user1     432977    1541  0 Nov26 ?        00:00:01 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
user1     983213  868456  0 11:27 pts/2    00:00:00 grep --color=auto -i gnome-keyring

Here is the systemd user service process which runs directly under the main systed service:

user1@zippy-zap:/usr/share/dbus-1/services$ ps -ef |grep -i 1541
user1       1541       1  0 Nov24 ?        00:00:00 /lib/systemd/systemd --user
user1       1542    1541  0 Nov24 ?        00:00:00 (sd-pam)
...
...

The GNOME Keyring Package

These packages were installed on my system.

user1@zippy-zap:/usr/share/dbus-1/services$ dpkg -l |grep -i gnome-keyring
ii  gnome-keyring                                 3.36.0-1ubuntu1                       amd64        GNOME keyring services (daemon and tools)
ii  gnome-keyring-pkcs11:amd64                    3.36.0-1ubuntu1                       amd64        GNOME keyring module for the PKCS#11 module loading library
ii  libpam-gnome-keyring:amd64                    3.36.0-1ubuntu1                       amd64        PAM module to unlock the GNOME keyring upon login
user1@zippy-zap:/usr/share/dbus-1/services$ 

Here I check which files were associated with one of these packages. A large number of these contain a command calling the keyring binary sometimes with different parameters. These seem to be spread all over the place.

user1@zippy-zap:/usr/share/dbus-1/services$ dpkg -L gnome-keyring
/.
/etc
/etc/xdg
/etc/xdg/autostart
/etc/xdg/autostart/gnome-keyring-pkcs11.desktop
/etc/xdg/autostart/gnome-keyring-secrets.desktop
/etc/xdg/autostart/gnome-keyring-ssh.desktop
/usr
/usr/bin
/usr/bin/gnome-keyring-3
/usr/bin/gnome-keyring-daemon
/usr/lib
/usr/lib/systemd
/usr/lib/systemd/user
/usr/lib/systemd/user/gnome-keyring-ssh.service
/usr/lib/systemd/user/gnome-keyring.service
/usr/lib/systemd/user/graphical-session-pre.target.wants
/usr/lib/ubiquity
/usr/lib/ubiquity/target-config
/usr/lib/ubiquity/target-config/50gkd-caps
/usr/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu/gnome-keyring
/usr/lib/x86_64-linux-gnu/gnome-keyring/devel
/usr/lib/x86_64-linux-gnu/gnome-keyring/devel/gkm-gnome2-store-standalone.so
/usr/lib/x86_64-linux-gnu/gnome-keyring/devel/gkm-secret-store-standalone.so
/usr/lib/x86_64-linux-gnu/gnome-keyring/devel/gkm-ssh-store-standalone.so
/usr/lib/x86_64-linux-gnu/gnome-keyring/devel/gkm-xdg-store-standalone.so
/usr/share
/usr/share/GConf
/usr/share/GConf/gsettings
/usr/share/GConf/gsettings/org.gnome.crypto.cache.convert
/usr/share/dbus-1
/usr/share/dbus-1/services
/usr/share/dbus-1/services/org.freedesktop.impl.portal.Secret.service
/usr/share/dbus-1/services/org.freedesktop.secrets.service
/usr/share/dbus-1/services/org.gnome.keyring.service
/usr/share/doc
/usr/share/doc/gnome-keyring
/usr/share/doc/gnome-keyring/AUTHORS
/usr/share/doc/gnome-keyring/NEWS.gz
/usr/share/doc/gnome-keyring/README
/usr/share/doc/gnome-keyring/README.Debian
/usr/share/doc/gnome-keyring/changelog.Debian.gz
/usr/share/doc/gnome-keyring/copyright
/usr/share/glib-2.0
/usr/share/glib-2.0/schemas
/usr/share/glib-2.0/schemas/org.gnome.crypto.cache.gschema.xml
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/gnome-keyring-daemon.1.gz
/usr/share/man/man1/gnome-keyring.1.gz
/usr/share/xdg-desktop-portal
/usr/share/xdg-desktop-portal/portals
/usr/share/xdg-desktop-portal/portals/gnome-keyring.portal
/usr/bin/gnome-keyring
/usr/lib/systemd/user/graphical-session-pre.target.wants/gnome-keyring-ssh.service
/usr/lib/systemd/user/graphical-session-pre.target.wants/gnome-keyring.service
/usr/share/man/man1/gnome-keyring-3.1.gz