Comment 14 for bug 400484

You should use both, pam_keyinit.so first, so that each log-in session gets its own session keyring. The kernel will, under some circumstances, give you a session keyring if you don't have one and are falling back to the user-session keyring - any call which modifies a keyring, for example, if given the session keyring special ID will create the session keyring if it does not exist.