KDE Wallet

From ArchWiki

KDE Wallet Manager is a tool to manage passwords on the KDE Plasma system. Using the KWallet subsystem allows a user to keep its own secrets, but also allows a user to access passwords stored by every application that integrates with KWallet.

A wallet (in the KDE's terminology, sometimes called vault or keyring) is an encrypted volume protected by a user-defined password where user and/or software can store secrets (often, credentials when the user checked "Remember the account" in an application). Those vaults can be created and used manually by the user or created and used automatically in the background by some software that integrates with the wallet subsystem (e.g. mail applications or games). Vaults are often decrypted automatically at the user login using a PAM module (see below).

Tips:

  • If you only need to have a wallet available for applications using it, it is suggested to use the default name (i.e. kdewallet) and the same password as the user (for PAM).
  • Wallets are are stored as encrypted files using the .kwl extension in the ~/.local/share/kwalletd directory by default.
Note: Since KDE Frameworks 5.97.0 KDE Wallet supports org.freedesktop.secrets DBus API and can now be used by libsecret for storing and retrieving passwords and other secrets using the Secret Service API.

Installation

KDE Wallet is often shipped with the KDE Plasma desktop environment. The wallet subsystem can be manually installed with the kwallet package.

Optionally install the kwalletmanager package for the wallet management tool. This tool can be used to graphically create and manage a KDE Wallet.

Configuration

Unlock KDE Wallet automatically on login

To unlock KDE Wallet automatically on login, install kwallet-pam for the PAM compatible module. The chosen KWallet password must be the same as the current user password.

Note:
  • kwallet-pam is not compatible with GnuPG keys, the KDE Wallet must use the standard blowfish encryption.
  • When using autologin, the wallet can only be unlocked if the autologin method saves the password. pam_autologin does, for example.
  • The wallet cannot be unlocked when using a fingerprint reader to login
  • The wallet must be named kdewallet (default name). It does not unlock any other wallet(s).
  • If using KDE, one may want to disable Close when last application stops using it in KDE Wallet settings to prevent the wallet from being closed after each usage (Wi-Fi-passphrase unlock, etc.).
  • It may be needed to remove the default created wallet first, thus removing all stored entries.
  • If the kwallet Migration Assistant asks for a password after every login, rename or delete the ~/.kde4/share/apps/kwallet folder.
Tip: An alternative is to use KWalletManager and set an empty Kwallet-password, thus preventing the need of entering a password to unlock a wallet. Simply do not enter a password on both fields in Change Password... This may however lead to unwanted (read/write) access to the user's wallet. Enabling Prompt when an application accesses a wallet under Access Control is highly recommended to prevent unwanted access to the wallet.

Configure PAM

The following lines must be present under their corresponding sections:

auth            optional        pam_kwallet5.so
session         optional        pam_kwallet5.so auto_start

Edit the PAM configuration corresponding to your situation:

  • For SDDM no further edits should be needed because the lines are already present in /etc/pam.d/sddm.
  • For LightDM no further edits should be needed because the lines are already present in /etc/pam.d/lightdm and /etc/pam.d/lightdm-autologin.
  • For GDM edit /etc/pam.d/gdm-password accordingly.
  • For greetd edit /etc/pam.d/greetd accordingly.
  • For unlocking on tty login (no display manager, or like greetd-tuigreet), edit /etc/pam.d/login accordingly. You will need to specify the force_run parameter.
/etc/pam.d/login
auth            optional        pam_kwallet5.so
session         optional        pam_kwallet5.so auto_start force_run
/etc/pam.d/greetd
#%PAM-1.0

auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
auth       include      system-local-login
auth       optional     pam_kwallet5.so
account    include      system-local-login
session    include      system-local-login
session    optional     pam_kwallet5.so auto_start force_run

Tips and tricks

Using the KDE Wallet to store ssh key passphrases

Install ksshaskpass package.

Set the SSH_ASKPASS environment variable to ksshaskpass and SSH_ASKPASS_REQUIRE to prefer (prefer to use the askpass program instead of the TTY). To set it automatically on each login, create the following environment.d(5) file:

~/.config/environment.d/ssh_askpass.conf
SSH_ASKPASS=/usr/bin/ksshaskpass
SSH_ASKPASS_REQUIRE=prefer

Restart your session (i.e. relogin) so that the environment variables take effect.

The first time you try to use an SSH key, you will get asked for its passphrase. Make sure to check the Remember password checkbox. Next time, the passphrase will be read from KDE Wallet.

Using the KDE Wallet to store Git credentials

Git can delegate credential handling to a credential helper. By using ksshaskpass as a credential helper, the HTTP/HTTPS and SMTP passwords can be safely stored in the KDE Wallet.

Install the ksshaskpass package.

Configure Git by setting the GIT_ASKPASS environment variable:

~/.config/environment.d/git_askpass.conf
GIT_ASKPASS=/usr/bin/ksshaskpass


Tip: If the SSH_ASKPASS environment variable is set to ksshaskpass, then additionally setting GIT_ASKPASS is not required.

See gitcredentials(7) for alternatives and more details.

Store GPG key passphrases

Native KDE windows can be used to prompt for GPG key passphrases and save them in KDE Wallet.

Configure gpg-agent to use /usr/bin/pinentry-qt.

Enable the Secret Service interface. There are two ways to do this:

  • Go to System Settings > KDE Wallet and enable Use KWallet for the Secret Service interface.
  • Edit the KDE Wallet configuration file:
~/.config/kwalletrc
[org.freedesktop.secrets]
apiEnabled=true

Close the wallet and reopen it to affect these changes. You can do this using kwalletmanager or by issuing commands to Qt D-Bus directly:

$ qdbus org.kde.kwalletd6 /modules/kwalletd6 closeAllWallets
$ qdbus org.kde.kwalletd6 /modules/kwalletd6 open kdewallet 0 $0

KDE Wallet for Chrome and Chromium

Chrome/Chromium/Opera has built in wallet integration. To enable it, run Chromium with the --password-store=kwallet5 or --password-store=detect argument. To make the change persistent, see Chromium#Making flags persistent. (Setting CHROMIUM_USER_FLAGS will not work.)

Query passwords from the terminal

Instead of storing passwords in plain text files, you can manually add new entries in your wallet and retrieve them with kwallet-query.

For example, if you want to log into the Docker Hub registry with Podman, which supports getting the passwords from stdin with the --password-stdin flag, you can use the following command to login:

$ kwallet-query -r folder_entry wallet_name -f folder_name | podman login docker.io -u dockerhub_username --password-stdin

This way, your password is not stored in any text file and neither is it stored in the terminal history file.

Unlocking KWallet automatically in a window manager

To unlock KWallet protected by the login password, it is necessary to add

exec --no-startup-id /usr/lib/pam_kwallet_init

to the configuration file of the window manager in addition to configuring PAM.

Disable KWallet

In case you want to permanently disable kwallet:

~/.config/kwalletrc
[Wallet]
Enabled=false

Automatic D-Bus activation

Most applications use org.freedesktop.secrets.service D-Bus service. KWallet does not provide a service file for it out of the box.

You can achieve automatic activation by creating such service file:

~/.local/share/dbus-1/services/org.freedesktop.secrets.service
[D-BUS Service]
Name=org.freedesktop.secrets
Exec=/usr/bin/kwalletd6

See also