Unlocking GNOME Keyring with Full Disk Encryption and Automatic Login under NixOS

2025-04-20·2 min

Table of Contents

For a few years now I've been using the GNOME desktop environment on my private laptop running Linux. The login setup I like to use is to have full disk encryption using LUKS and automatic login to my main user upon boot. This means that when I boot my machine, I have to type in my password to decrypt my drive, and then I'm directly logged in and greeted by the GNOME shell without having to type my password twice.

Fedora Silverblue

Before I moved to NixOS some weeks ago, I was using Fedora (specifically Fedora Silverblue). There the configuration for this setup was very easy. All you had to do was navigate to the System/Users section in GNOME settings and activate that Automatic Login toggle:

The image shows the "System/Users" section of GNOME settings with activated "Automatic Login" toggle.

NixOS

Under NixOS we want to configure the login behavior in our configuration.nix file. The relevant lines are the following:

{
  services.displayManager.autoLogin.enable = true;
  services.displayManager.autoLogin.user = "jdw";
}

Of course, jdw has to be replaced by the username of the user we want to log into. With these lines automatic login works fine. The problem one soon discovers is that if you use GNOME keyring to save passwords, for example for the evolution email client, the keyring is not unlocked upon boot, even if only the default keyring is used and the keyring password coincides with the user and LUKS password. In a discussion at the NixOS Discourse the following two lines were mentioned, but they didn't solve the problem for me:

{
  security.pam.services.gdm.enableGnomeKeyring = true;
  security.pam.services.gdm-password.enableGnomeKeyring = true;
}

It took a lot of browsing to stumble on this reddit comment which remarked that in order for the LUKS password to be reused as the GNOME keyring password, one needs to have systemd enabled in the initrd. In NixOS this is achieved by putting

{
  boot.initrd.systemd.enable = true;
}

in the configuration.nix. With this, everything works as expected. My complete GNOME module which I import in my configuration.nix looks like this:

{ config, pkgs, ... }:

{
  # Enable the X11 windowing system.
  services.xserver.enable = true;

  # Enable GNOME and gnome display manager
  services.xserver.desktopManager.gnome.enable = true;
  services.xserver.displayManager.gdm.enable = true;

  # don't install all the GNOME apps
  services.gnome.core-utilities.enable = false;

  # Enable automatic login for the user.
  services.displayManager.autoLogin.enable = true;
  services.displayManager.autoLogin.user = "jdw";
  # Workaround for GNOME autologin: https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229
  systemd.services."getty@tty1".enable = false;
  systemd.services."autovt@tty1".enable = false;

  # Enable GNOME keyring
  # https://discourse.nixos.org/t/login-keyring-did-not-get-unlocked-hyprland/40869/14
  security.pam.services.gdm.enableGnomeKeyring = true;
  security.pam.services.gdm-password.enableGnomeKeyring = true;
  # the following line is needed so that the LUKS password can be used to unlock GNOME keyring
  boot.initrd.systemd.enable = true;
}

You can have a look at my complete NixOS configuration at Codeberg.