Is the Keyring auto-login unlock with LUKS passphrase is broken/removed?

I swear this used to work but now it apparently doesn’t any more?

With Fedora at least, it used to be that if you installed with LUKS encryption and enabled auto-login, it’d set your keychain passphrase as your LUKS one, and fetch it at boot so the keychain would still be unlocked on startup/autologin.

Now, it seems to instead set the keychain password as the user login phrase you enter during the first boot setup wizard, and no matter what I do, it wont unlock with auto login now.

I’ve installed seahorse, and tried both manually changing the keychain passphrase back to the LUKS one, and also changing the user/login passphrase to match the LUKS and keychain one. I’ve even tried a totally fresh installation (on both 36 and 37), with all passwords set exactly the same

What gives? Was this deliberately changed ( I can’t find any reference to it)? Because it’s super annoying.

(No, don’t tell me to set it to have no password, thats stupid insecure, and yeah, I’m aware of the bug where PAM would capture incorrect passwords if you typed them in first - that’s not what’s going on here)

1 Like

I don’t think so. Your keyring password needs to match your user account password or it won’t auto-unlock.

The trick is to make sure your user account password matches your LUKS passphrase. They’ve got to be the same. When they’re the same, everything will work properly.

The future strategy will be to use home directory encryption instead of LUKS, plus some separate encryption for /etc and /var, so that LUKS becomes a corner case that is no longer important. I don’t think we’ll ever be able to make LUKS user-friendly enough to be a default. :frowning:

Dude read the post properly. I literally tried exactly this

Also this 100% was NOT the case on my previous installation, I know for a fact the user and LUKS passwords were different. But Keyring unlocked fine with autologin.

Other people agree:

You’re going to need to report a bug I suppose. Let me ask around to find the right place to start.

I just did a F37 system update to ensure I have all the latest packages, and it’s still working fine for me, so at least it didn’t break for existing installations…


Tested this on 3 different machines now, and it seems to be confirmed by other users.

If there is no cryptsetup key in the keyring, as mentioned in Is the Keyring auto-login unlock with LUKS passphrase is broken/removed? - #16 by ne0l - Ask Fedora, the problem does not seem to be on the gnome side.

thanks, so in plain terms, what your’e saying is Fedora’s mechanism to pick the LUKS passphase up at boot isn’t working?

I’m not familiar enough with how this works (or is supposed to work) on Fedora and which components are involved in ensuring the password ends up in the kernel keyring by the time the GDM PAM module tries to read it, so I don’t want to point to anything specifically.

there was recently a rhel bug 2150649 – systemd, luks, gdm-autologin, pam_gnome_keyring interaction pass-through of credential where gdm was missing a buildrequires on keyutils. i’m afk atm so can’t check, but its possible fedora has same bug

EDIT: oh i was misremembering. it wasnt a missing buildreq but too old a version of keyutils. i guess this problem is different for sure

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.