KDE Wallet
KDE Wallet Manager is a tool to manage passwords on the KDE Plasma system. Using the KWallet subsystem allows a user to keep its own secrets, but also allows a user to access passwords stored by every application that integrates with KWallet.
A wallet (in the KDE's terminology, sometimes called vault or keyring) is an encrypted volume protected by a user-defined password where user and/or software can store secrets (often, credentials when the user checked "Remember the account" in an application). Those vaults can be created and used manually by the user or created and used automatically in the background by some software that integrates with the wallet subsystem (e.g. mail applications or games). Vaults are often decrypted automatically at the user login using a PAM module (see below).
Tips:
- If you only need to have a wallet available for applications using it, it is suggested to use the default name (i.e.
kdewallet
) and the same password as the user (for PAM). - Wallets are stored as encrypted files using the
.kwl
extension in the~/.local/share/kwalletd
directory by default.
Installation
KDE Wallet is often shipped with the KDE Plasma desktop environment. The wallet subsystem can be manually installed with the kwallet package.
Optionally install the kwalletmanager package for the wallet management tool. This tool can be used to graphically create and manage a KDE Wallet.
Configuration
Unlock KDE Wallet automatically on login
To unlock KDE Wallet automatically on login, install kwallet-pam for the PAM compatible module. The chosen KWallet password must be the same as the current user password.
- kwallet-pam is not compatible with GnuPG keys, the KDE Wallet must use the standard
blowfish
encryption. - When using autologin, the wallet can only be unlocked if the autologin method saves the password. pam_autologin does, for example.
- The wallet cannot be unlocked when using a fingerprint reader to login
- The wallet must be named
kdewallet
(default name). It does not unlock any other wallet(s). - If using KDE, one may want to disable Close when last application stops using it in KDE Wallet settings to prevent the wallet from being closed after each usage (Wi-Fi-passphrase unlock, etc.).
- It may be needed to remove the default created wallet first, thus removing all stored entries.
- If the kwallet Migration Assistant asks for a password after every login, rename or delete the
~/.kde4/share/apps/kwallet
folder.
Configure PAM
The following lines must be present under their corresponding sections:
auth optional pam_kwallet5.so session optional pam_kwallet5.so auto_start
Edit the PAM configuration corresponding to your situation:
- For SDDM no further edits should be needed because the lines are already present in
/etc/pam.d/sddm
. - For LightDM no further edits should be needed because the lines are already present in
/etc/pam.d/lightdm
and/etc/pam.d/lightdm-autologin
. - For GDM edit
/etc/pam.d/gdm-password
accordingly. - For greetd edit
/etc/pam.d/greetd
accordingly. - For unlocking on tty login (no display manager, or like greetd-tuigreet), edit
/etc/pam.d/login
accordingly. You will need to specify the force_run parameter.
/etc/pam.d/login
auth optional pam_kwallet5.so session optional pam_kwallet5.so auto_start force_run
/etc/pam.d/greetd
#%PAM-1.0 auth required pam_securetty.so auth requisite pam_nologin.so auth include system-local-login auth optional pam_kwallet5.so account include system-local-login session include system-local-login session optional pam_kwallet5.so auto_start force_run
Tips and tricks
Using the KDE Wallet to store ssh key passphrases
Install ksshaskpass package.
Set the SSH_ASKPASS
environment variable to ksshaskpass
and SSH_ASKPASS_REQUIRE
to prefer
(prefer to use the askpass program instead of the TTY). To set it automatically on each login, create the following environment.d(5) file:
~/.config/environment.d/ssh_askpass.conf
SSH_ASKPASS=/usr/bin/ksshaskpass SSH_ASKPASS_REQUIRE=prefer
Restart your session (i.e. relogin) so that the environment variables take effect.
The first time you try to use an SSH key, you will get asked for its passphrase. Make sure to check the Remember password checkbox. Next time, the passphrase will be read from KDE Wallet.
Using the KDE Wallet to store Git credentials
Git can delegate credential handling to a credential helper. By using ksshaskpass as a credential helper, the HTTP/HTTPS and SMTP passwords can be safely stored in the KDE Wallet.
Install the ksshaskpass package.
Configure Git by setting the GIT_ASKPASS
environment variable:
~/.config/environment.d/git_askpass.conf
GIT_ASKPASS=/usr/bin/ksshaskpass
SSH_ASKPASS
environment variable is set to ksshaskpass, then additionally setting GIT_ASKPASS
is not required.See gitcredentials(7) for alternatives and more details.
Store GPG key passphrases
Native KDE windows can be used to prompt for GPG key passphrases and save them in KDE Wallet.
Configure gpg-agent
to use /usr/bin/pinentry-qt
.
Enable the Secret Service interface. There are two ways to do this:
- Go to System Settings > KDE Wallet and enable Use KWallet for the Secret Service interface.
- Edit the KDE Wallet configuration file:
~/.config/kwalletrc
[org.freedesktop.secrets] apiEnabled=true
Close the wallet and reopen it to affect these changes. You can do this using kwalletmanager or by issuing commands to Qt D-Bus directly:
$ qdbus org.kde.kwalletd6 /modules/kwalletd6 closeAllWallets $ qdbus org.kde.kwalletd6 /modules/kwalletd6 open kdewallet 0 $0
KDE Wallet for Chrome and Chromium
Chrome/Chromium/Opera has built in wallet integration. To enable it, run Chromium with the --password-store=kwallet5
or --password-store=detect
argument. To make the change persistent, see Chromium#Making flags persistent. (Setting CHROMIUM_USER_FLAGS will not work.)
Query passwords from the terminal
Instead of storing passwords in plain text files, you can manually add new entries in your wallet and retrieve them with kwallet-query.
For example, if you want to log into the Docker Hub registry with Podman, which supports getting the passwords from stdin with the --password-stdin
flag, you can use the following command to login:
$ kwallet-query -r folder_entry wallet_name -f folder_name | podman login docker.io -u dockerhub_username --password-stdin
This way, your password is not stored in any text file and neither is it stored in the terminal history file.
In order to run kwallet-query
outside of a graphical session (for instance as part of an unattended backup script), set the QT_QPA_PLATFORM=offscreen
environment variable:
$ QT_QPA_PLATFORM=offscreen kwallet-query -r folder_entry wallet_name -f folder_name
Unlocking KWallet automatically in a window manager
To unlock KWallet protected by the login password, it is necessary to add
exec --no-startup-id /usr/lib/pam_kwallet_init
to the configuration file of the window manager in addition to configuring PAM.
Disable KWallet
In case you want to permanently disable kwallet:
~/.config/kwalletrc
[Wallet] Enabled=false
Automatic D-Bus activation
Most applications use org.freedesktop.secrets.service
D-Bus service. KWallet does not provide a service file for it out of the box.
You can achieve automatic activation by creating such service file:
~/.local/share/dbus-1/services/org.freedesktop.secrets.service
[D-BUS Service] Name=org.freedesktop.secrets Exec=/usr/bin/kwalletd6