KDE Wallet Manager is a tool to manage passwords on the KDE Plasma system. Using the KWallet subsystem allows a user to keep its own secrets, but also allows a user to access passwords stored by every application that integrates with KWallet.
A wallet (in the KDE's terminology, sometimes called vault or keyring) is an encrypted volume protected by a user-defined password where user and/or software can store secrets (often, credentials when the user checked "Remember the account" in an application). Those vaults can be created and used manually by the user or created and used automatically in the background by some software that integrates with the wallet subsystem (e.g. mail applications or games). Vaults are often decrypted automatically at the user login using a PAM module (see below).
- If you only need to have a wallet available for applications using it, it is suggested to use the default name (i.e.
kdewallet) and the same password as the user (for PAM).
- Wallets are are stored as encrypted files using the
.kwlextension in the
~/.local/share/kwalletddirectory by default.
KDE Wallet is often shipped with the KDE Plasma desktop environment. The wallet subsystem can be manually installed with the package. The subsystem additionally depends on:
- FUSE to mount the decrypted wallet to a directory in user-land. Specifically, it depends on the package to provide the command.
- An encryption backend, used to actually store the wallet as a encrypted file. Several backends are supported, e.g. Gocryptfs with the package or EncFS with the package.
Optionally install the package for the wallet management tool. This tool can be used to graphically create and manage a KDE Wallet, e.g. with
blowfish encryption and more settings not provided by the kcm-module.
Unlock KDE Wallet automatically on login
- GnuPG keys, the KDE Wallet must use the standard
is not compatible with
- When using autologin, the wallet can only be unlocked if the autologin method saves the password. pam_autologin does, for example.
- The wallet cannot be unlocked when using a fingerprint reader to login
- The wallet must be named
kdewallet(default name). It does not unlock any other wallet(s).
- If using KDE, one may want to disable Close when last application stops using it in KDE Wallet settings to prevent the wallet from being closed after each usage (Wi-Fi-passphrase unlock, etc.).
- It may be needed to remove the default created wallet first, thus removing all stored entries.
- If the kwallet Migration Assistant asks for a password after every login, rename or delete the
The following lines must be present under their corresponding sections:
auth optional pam_kwallet5.so session optional pam_kwallet5.so auto_start
Edit the PAM configuration corresponding to your situation:
- For SDDM no further edits should be needed because the lines are already present in
- For LightDM no further edits should be needed because the lines are already present in
- For GDM edit
- For greetd edit
- For unlocking on tty login (no display manager), edit
/etc/pam.d/loginaccordingly. You will need to specify the force_run parameter.
auth optional pam_kwallet5.so session optional pam_kwallet5.so auto_start force_run
#%PAM-1.0 auth required pam_securetty.so auth requisite pam_nologin.so auth include system-local-login auth optional pam_kwallet5.so account include system-local-login session include system-local-login session optional pam_kwallet5.so auto_start force_run
Using the KDE Wallet to store ssh key passphrases
[Desktop Entry] Exec=ssh-add -q Name=ssh-add Type=Application
~/.ssh/id_dsa. Assuming you have different SSH keys named
~/.ssh/, you may add them automatically on login by passing them as arguments to ssh-add. E.g.:
[Desktop Entry] Exec=ssh-add -q .ssh/key1 .ssh/key2 .ssh/key3 Name=ssh-add Type=Application
To use shell features like globbing, change the
Exec= line to start the shell and execute the ssh-add command with it. For example, to add all private keys whose file names start with
id to ssh-add using the extended globbing features of Zsh:
[Desktop Entry] Exec=zsh --extendedglob -c 'ssh-add -q ~/.ssh/id^*.pub < /dev/null' Name=ssh-add Type=Application X-KDE-AutostartScript=true
You also have to set the
SSH_ASKPASS environment variable to
prefer (prefer to use the askpass program instead of the TTY). To set it automatically on each login, create the following systemd environment file:
It will ask for your password and unlock your SSH keys. Upon restart your SSH keys should be unlocked once you give your kwallet password.
To add a new key and store the password with kwallet use the following command
$ ssh-add /path/to/new/key </dev/null
and append the key to the list of keys in
~/.config/autostart/ssh-add.desktop as explained above to have it unlocked upon providing the kwallet password.
Using the KDE Wallet to store Git credentials
Git can delegate credential handling to a credential helper. By using as a credential helper, the HTTP/HTTPS and SMTP passwords can be safely stored in the KDE Wallet.
Install the package.
Configure Git by setting the
GIT_ASKPASS environment variable:
SSH_ASKPASS environment variable is set to ksshaskpass, then additionally setting
GIT_ASKPASS is not required.
Seefor alternatives and more details.
KDE Wallet for Chrome and Chromium
Chrome/Chromium/Opera has built in wallet integration. To enable it, run Chromium with the
--password-store=detect argument. To make the change persistent, see Chromium#Making flags persistent. (Setting CHROMIUM_USER_FLAGS will not work.)
Query passwords from the terminal
Instead of storing passwords in plain text files, you can manually add new entries in your wallet and retrieve them with kwallet-query.
For example, if you want to log into the Docker Hub registry with Podman, which supports getting the passwords from stdin with the
--password-stdin flag, you can use the following command to login:
$ kwallet-query -r folder_entry wallet_name -f folder_name | podman login docker.io -u dockerhub_username --password-stdin
This way, your password is not stored in any text file and neither is it stored in the terminal history file.
Unlocking KWallet automatically in a window manager
To unlock KWallet protected by the login password, it is necessary to add
exec --no-startup-id /usr/lib/pam_kwallet_init
to the configuration file of the window manager in addition to configuring PAM.
In case you want to permanently disable kwallet:
Automatic D-Bus activation
Most applications use
org.freedesktop.secrets.service D-Bus service. KWallet does not provide a service file for it out of the box.
You can achieve automatic activation by creating such service file:
[D-BUS Service] Name=org.freedesktop.secrets Exec=/usr/bin/kwalletd5