Ask Your Question

Fingerprint to unlock keyring on login

asked 2013-08-16 14:42:19 -0600

heywhat gravatar image

updated 2014-12-28 18:39:20 -0600

mether gravatar image

I have enrolled my fingerprint on a Thinkpad with fingerprint scanner. I can now swipe a finger to sudo, su and login etc.

However, if I swipe to login, a password box pops up anyway because the keyring needs to be unlocked so that NetworkManager can log on to the wifi network. If I login with a password it is reused to unlock the keyring. Therefore it is quicker to login by typing a password once than to swipe and then also type a password.

Is there some way of also unlocking the keyring when I swipe to login? One swipe should log me in and also unlock the keyring.


Thanks to feedback, I guess what's needed is the following:

  • a laptop with a TPM chip (thinkpad, + any modern laptop, due to trusted boot?)
  • the package trousers to talk to the TPM (seems to be installed by default)
  • a pam session module which decrypts your password with TPM and unlocks keyring/ssh keys

Running a command like:

repoquery --whatrequires trousers

...I see a bunch of packages which make use of the TPM chip, none of which look like pam modules. I guess this doesn't exist in Fedora. Has anyone written this software? Does this all look right?

There also needs to be some kind of UI such that when you enrole your fingerprint you are also asked for your password, which is then encrypted with a key stored in the TPM.

All of the above also applies to other auth methods, such as the newly integrated for F20 external keys -- any way you authenticate that does not involve typing in your password immediately involves typing in your password anyway as access to the network, and therefore your keyring is a prerequisite for doing anything useful.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2013-08-24 14:34:44 -0600

hroncok gravatar image

The passwords in keyring are stored encrypted. Your keyring master password is used to encrypt them. Without the master password, nobody (or nothing) can read the passwords stored there. That's for security reasons, if the passswords were stored in plaintext, root might read them, or any app can read all passwords.

While it is technically possible to compare fingerprints and compare the fingerprint of the user who tries to log in with all fingerprints stored in the system, it is technically impossible to get your password from the print and use it to decrypt your passwords of the user who runs the app.

One solution is to decrypt your passwords with fingerprint, but that would mean that you cannot unlock the keyring with password anymore. Also it is almost impossible to generate something (number, string) from the fingerpint that's stays the same for every scan (and is uniqe enough to be used for encryption).

Other solution is to use empty/none password for keyring and let it be unlcoked without password. But that way, your password would be stored in plaintext (or other easily readable form). If you really want to do that, do that in seahorse, in the View dropdown, select By Keyring. On the Passwords tab, right click on Passwords: login and pick Change password. Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing Use Unsafe Storage. [The seahorse how-to is quoted from [ArchWiki](]

Basically that means you have to choose between security and comfiness. As usual.

edit flag offensive delete link more

Question Tools


Asked: 2013-08-16 14:42:19 -0600

Seen: 3,392 times

Last updated: Aug 25 '13