Saving keys and passwords in Sway with Gnome Keyring
Posted on 2026-03-15
With the Sway WM, you get a very sparse compositor (the Wayland equivalent of a window manager) and a lot of possibilities. Right out of the box, it is often just configured to open a terminal and navigate between windows and virtual desktops. But in daily use, I do miss a lot of the niceties of a more polished desktop. I usually end up coming up with solutions to these myself, which suits me fine!
One example of this is a keyring. A keyring is a program that saves "secrets",
like encryption keys and passwords, and provides them to applications without
you having to take action. If you've ever used ssh-agent in a console
session to save your SSH keys, you've used a rudimentary keyring app!
This comes with a lot of more full-featured desktops, but Sway leaves it up to
the user. After looking at some of the possibilities, I ended up going with
gnome-keyring-daemon for a few reasons:
- Minimal footprint; it didn't need a bunch of other Gnome dependencies
- Many of the other options were small projects on Github, and I get queasy trusting small projects for my keys and passwords
- I had accidentally installed it already somehow
- The GUI for managing the gnome keyring is called "Seahorse". Tell me that doesn't make you smile, without really understanding why they named it that.
I was attempting this feat in Debian Trixie. One nicety was that the Gnome keyring was already running as a systemd service - not something I ordinarily would welcome, but in this case it was a little helpful. While it was running, none of my secrets were getting stored or presented to applications. The keyring apps apparently work on a series of backroom deals and handshake agreements... in this case, very particular environment variables!
The two applications I have experience with both can set their own environment variables, if you treat them right.
- SSH agent:
eval "$( ssh-agent )" - Gnome keyring:
eval "$( gnome-keyring-daemon -s )"
So, that's how I get the environment variables set... but where should this be run?
With Sway, and most other DIY desktops/compositors/window managers, environment variables are set by the display manager. A display manager is usually what logs you in - either automatically, or by letting you type in your username and password. I use greetd, with the tuigreet front end, which makes things easy. The tuigreet front end lets you specify the command you want to run, so I switched it to a bash script that launches sway after setting some environment variables.
Here is the full script:
#!/usr/bin/env bash
# Pulled directly from the Arch wiki - seems smart
export XDG_SESSION_TYPE=wayland
export XDG_SESSION_DESKTOP=sway
export XDG_CURRENT_DESKTOP=sway
# Pulled from the greetd wiki
export MOZ_ENABLE_WAYLAND=1
export QT_QPA_PLATFORM=wayland
export SDL_VIDEODRIVER=wayland
export _JAVA_AWT_WM_NONREPARENTING=1
# This adds gnome keyring support to Sway
eval "$( gnome-keyring-daemon -s 2>/dev/null )"
export GNOME_KEYRING_CONTROL
export SSH_AUTH_SOCK
exec sway "$@"