Keepass as SSH Agent with Auto-Login using gnome keyring

KeepassXC has built-in SSH-Agent support. It just needs to be enabled. To do that, start up KeepassXC, then go to Tools –> settings –> SSH Agent and check the Enable SSH Agent checkbox, hit okay and restart keepass

now you can create a new entry where you can enter your ssh private key password as password and then upload your ssh private key as an attachment under advanced. Finally go to the “SSH Agent” Tab and select the attachment. for your daily use keys, check the “Add key to agent when database is opened” and also “Remove key from agent when database is closed/locked”

from now on, your key will be loaded and usable without further password entry as soon as you start KeepassXC and unlock your database.

but since we are lazy, let's make it even more comfortable. in KeepassXC go to Tools –> Settings –> General and in enable “Minimize window at application startup” and at the bottom “Show a system tray icon” as well as “Hide window to system tray when minimized”

so now that we made sure that KeepassXC is only shown as a system tray icon upon starting it, let's make sure it is started automatically after we login to our computer in Gnome

first we need to add the master password to our gnome keyring, so it is safely stored and can be used to automatically unlock our database:

sudo apt install libsecret-tools
secret-tool store --label="KeePass <dbname>" keepass <dbname>

now that this is done, create the following script and add it to your startup applications in gnome:

# setup:
# sudo apt install libsecret-tools
# secret-tool store --label="KeePass safe" keepass safe
function start(){
  # this loop helped making the re-opening of the database after a screen unlock more reliable
  while [ $success -gt 0 ]; do
    pwd=$(secret-tool lookup keepass safe)
    if [ $success -gt 0 ]; then
      sleep 5
    let cntr++ 
    if [ $cntr -gt 12 ]; then
      notify-send 'Keepass Autolaunch' 'Could not get the Masterkey from the Gnome Keechain, starting Keepass with locked DB'
  echo $pwd | keepassxc --pw-stdin ~/path/to/keepass_file.kdbx >/dev/null 2>/dev/null &
# register dbus-monitor script to unlock keepass after unlocking a gnome session
gdbus monitor -y -d org.freedesktop.login1 |
  while read x; do
  if echo "$x" | grep -q "'LockedHint': <false>"; then
    killall keepassxc 
done >/dev/null 2>/dev/null &

sources: dAnjou for the keyring stuff, stackexchange for running a command upon unlocking a session

finally log out and log back in to your gnome session. a little keepass icon should appear in the system tray and you should be able to login to all your ssh key authenticated sites without entering another password. Now make sure you have a safe password to unlock your pc :)

On one of my machines i got this error message which was a bit confusing as it seems to be a secret-tool error message, but it actually has its roots in the dbus library. I then remembered that this was one of those machines where I had to implement a workaround for the broadcasst function of terminator because it doubled every keystroke when broadcasting to other terminals. In this workaround, i had set the $DBUS_SESSION_BUS_ADDRESS to an empty string which seems to cause this issue. My solution was, to simply run the secret-tool command in another terminal emulator than terminator, as my workaround for terminator was implemented so that it only affects terminator sessions.

  • keepass_as_ssh_agent_with_auto-login_using_gnome_keyring.txt
  • Last modified: 01.07.2021 08:51
  • by Pascal Suter