diff --git a/hosts/common/programs/gnome-keyring/default.nix b/hosts/common/programs/gnome-keyring/default.nix
index 7e44652b..d4551567 100644
--- a/hosts/common/programs/gnome-keyring/default.nix
+++ b/hosts/common/programs/gnome-keyring/default.nix
@@ -8,7 +8,8 @@ in
     sandbox.method = "bwrap";
     sandbox.whitelistDbus = [ "user" ];
     sandbox.extraRuntimePaths = [
-      "keyring/control"
+      "keyring"  #< only needs keyring/control, but has to *create* that.
+      # "keyring/control"
     ];
     sandbox.capabilities = [
       # ipc_lock: used to `mlock` the secrets so they don't get swapped out.
@@ -54,6 +55,7 @@ in
       wantedBy = [ "graphical-session.target" ];
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/gnome-keyring-daemon --start --foreground --components=secrets";
+        ExecStartPre = "${pkgs.coreutils}/bin/mkdir -m 0700 -p %t/keyring";
         Type = "simple";
         Restart = "always";
         RestartSec = "20s";