How to disable the keyring for SSH and GPG?
First duplicate the file /etc/xdg/autostart/gnome-keyring-ssh.desktop
into ~/.config/autostart/
.
Then edit ~/.config/autostart/gnome-keyring-ssh.desktop
in order to remove the following line:
NoDisplay=true
and to add the following line at the end:
X-GNOME-Autostart-enabled=false
This should disable SSH management when you restart your session.
To disable GPG, do the same with the file /etc/xdg/autostart/gnome-keyring-gpg.desktop
.
In a terminal session (using Ctrl-Alt-T) you can stop the gnome-keyring process from working with ssh by using:
unset SSH_AUTH_SOCK
The --no-use-agent
option is available to gpg to avoid using the gnome-keyring process with gpg, however that is the default.
You can stop the nautilus seahorse-tool from using the gpg-agent by using:
rm `echo $GPG_AGENT_INFO | sed s/:0:1//`
You can stop the gnome-keyring process completely with the command:
kill $GNOME_KEYRING_PID
Each of the above actions is restored by logging in again.
Wifi passwords available to all userids are stored in the /etc/NetworkManager/system-connections/
directory rather than being stored in your gnome keyring, so they can remain available if you kill the gnome-keyring process.
The ssh-add
command can be used to delete (or add) specific keys from/to the current gnome-keyring while the keyring process is running.
Individual key passwords can be deleted from the login or other keyring using the Passwords
tab of the Passwords and Keys
program (seahorse).
If the gnome-keyring isn't present, ssh-agent will still be running, but it doesn't store gpg keys.
There are two lines in /etc/pam.d/lightdm
involved with saving the login password and starting the gnome-keyring-daemon with the login keyring unlocked with the login password. The second starts the daemon:
session optional pam_gnome_keyring.so auto_start
Commenting out just this line would stop it from starting for all sessions of all users of your system using the login password to unlock the login keyring.
/etc/xdg/autostart/
contains start entries for various categories of secrets gnome-keyring can handle. To stop the daemon from starting these components these files can be moved out of this directory. You can move all the gnome-keyring-* files to stop the daemon from starting or can simply refuse to supply the login password again to disable the login keyring while leaving the daemon running.
To stop gnome-keyring from starting its (broken) SSH agent on Ubuntu 16.04:
mkdir ~/.config/upstart || true
echo manual > ~/.config/upstart/gnome-keyring-ssh.override
# This step can be done with the gnome-session-properties tool
mkdir ~/.config/autostart || true
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart
echo 'X-GNOME-Autostart-enabled=false' >> ~/.config/autostart/gnome-keyring-ssh.desktop