OC
OpenClaw
Dashboard

gog-systemd-keyring-setup.md

/home/ubuntu/.openclaw/workspace/docs/gog-systemd-keyring-setup.md
Back

gog + OpenClaw (systemd) keyring setup

This documents how to make gog work non-interactively when invoked by the OpenClaw Gateway running as a systemd user service.

Problem

You can run gog fine in an interactive shell (because ~/.bashrc / ~/.profile is loaded), but OpenClaw still prompts:

Enter passphrase to unlock "~/.config/gogcli/keyring"

Reason: the OpenClaw Gateway is launched by systemd, and systemd does not source your shell rc files. So any export ... you added to ~/.bashrc won’t be present when OpenClaw runs gog.

Solution (recommended)

Use gog’s encrypted file keyring with env vars, and inject them into the OpenClaw systemd unit via EnvironmentFile=.

1) Configure gog to use file keyring

gog auth keyring file

This writes:

  • ~/.config/gogcli/config.json containing:
{ "keyring_backend": "file" }

2) Create an env file for gog

Create a locked-down env file for systemd to read:

mkdir -p ~/.config/gogcli
cat > ~/.config/gogcli/env <<'EOF'
# Environment for gog when invoked non-interactively (e.g., by OpenClaw systemd service)
GOG_KEYRING_BACKEND=file
# Set this to the passphrase you chose for gog's encrypted file keyring.
# IMPORTANT: no quotes, no `export`. Example:
# GOG_KEYRING_PASSWORD=correct horse battery staple
GOG_KEYRING_PASSWORD=your-passphrase-here
EOF
chmod 600 ~/.config/gogcli/env

Important:

  • The file must use plain KEY=value lines.
  • Do not write export GOG_KEYRING_PASSWORD=... (systemd will ignore it as an invalid assignment).

3) Attach the env file to the OpenClaw Gateway systemd service

Create a systemd drop-in:

mkdir -p ~/.config/systemd/user/openclaw-gateway.service.d
cat > ~/.config/systemd/user/openclaw-gateway.service.d/override.conf <<'EOF'
[Service]
EnvironmentFile=%h/.config/gogcli/env
EOF

Reload systemd and restart the Gateway:

systemctl --user daemon-reload
systemctl --user restart openclaw-gateway

Verification

Confirm the service is active

systemctl --user is-active openclaw-gateway

Confirm systemd is loading the env file

systemctl --user show openclaw-gateway --property=EnvironmentFiles --property=Environment

(You may not see the password value printed, depending on systemd settings.)

Confirm gog runs non-interactively

gog auth list --json --no-input

If the password is wrong/missing, this will fail (or prompt if --no-input isn’t used). With the setup above, it should succeed without prompting.

Notes / gotchas

  • ~/.bashrc changes don’t affect systemd services.
  • Prefer this EnvironmentFile= approach over hardcoding env vars directly in the unit file.
  • Keep ~/.config/gogcli/env permissions tight (chmod 600).