Bug#987298: gdm3: Fails to unlock GNOME keyring when multiple attempts were needed to unlock LUKS

Simon McVittie smcv at debian.org
Thu Apr 22 09:37:15 BST 2021

On Wed, 21 Apr 2021 at 08:33:01 +0200, intrigeri at debian.org wrote:
> On LUKS-encrypted systems, by default the GNOME keyring is encrypted
> using the LUKS passphrase typed on boot. pam_gdm unlocks the keyring
> using that passphrase. So far, so good.

Does testing this require any particular system configuration, for example
enabling autologin in gdm, or having the logging-in user's Unix password
be the same as the LUKS passphrase, or having LUKS v2 rather than LUKS v1?

If you're successfully using this on a real system, it would save me some
time if you could describe how to reproduce it on a fresh installation
(VM or real hardware).

All my bullseye systems that run on real hardware (and therefore need
LUKS) were upgraded from buster or earlier, so I don't have any fresh
installations with LUKS at the moment.

> On current sid, pam_gdm uses the _first_ passphrase that was typed on
> boot.
> The upstream fix is self-contained and seems very simple. May we
> consider including it in Bullseye?

We'd have to ask the release team, but I don't see why not - but we'll
need to know how to test it.


More information about the pkg-gnome-maintainers mailing list