Talk:KDE Wallet

Apparently, the use of pam_kwallet-git does not work if the wallet is encrypted with a GnuPG key. --Fahrgast (talk) 15:10, 28 January 2015 (UTC)Reply

It is possible use a blank password too to open the wallet automatically according with [1] J0n4t (talk) 19:35, 21 July 2016 (UTC)Reply

I offer these comments with some trepidation: Kwallet can be unlocked automatically when using a GnuPG key, but it's complicated. . . complicated enough that I don't quite recall all the details of how it's done. Hence, my trepidation. However, I am using this on one of my machines. The basics are that kwallet is configured to use a GnuGP key, and gnome-keyring is configured to unlock my GnuGP keys automatically. Editing files in /etc/pam.d/ is required, and unfortunately, this is where my knowledge and recollection is lacking. I'm pretty sure that login, sddm-autologin, and passwd in that folder all required editing. I was following someone else's instructions at the time and unfortunately cannot locate them again. I can say that my kwallet configuration is definitely using a GnuGP key, and my Network Manager wifi configuration is set to encrypt my stored wifi password, my GnuGP keys are unlocked automatically by gnome-keyring, and when I log on, my system connects automatically to wifi without my having to key in a wifi password or a kwallet password. If anyone has interest in pursuing this, and possesses a better understanding of PAM than I do, I'm willing to share the contents of my PAM files. If there are any further tricks required, I don't recall what they were unfortunately.

L userx (talk) 02:27, 20 March 2019 (UTC)Reply

kwalletmanager in repo is for kde4, and use different path from kde5 ( ./.local/share/kwalletd/kdewallet.kwl ) and also seems to be incompatible (copied/linked kwl file giver password error). kwalletmanager-git works fine, but is still lacking gpg.

May be helpful: workaround for this bug (or feature) is here

With kwallet 6.22.0-1 the token transmission changes a bit

Now we have to adjust our PAM profiles like this

   #%PAM-1.0
   auth       optional        pam_kwallet5.so force_run kwalletd=/usr/bin/ksecretd
   session    optional        pam_kwallet5.so force_run auto_start kwalletd=/usr/bin/ksecretd
   

this solution works for me, please confirm

Can we please get a guide for this? I've added the lines to /etc/pam.d/login but it's not unlocking. Other guides have lines added to /etc/pam.d/passwd but for some reason the file looks different on other distros, or maybe I'm seeing old tutorials. MisterMustafa (talk) 21:06, 27 March 2017 (UTC)Reply

the order of the PAM modules is important. the following is just exemplary to clarify PAM stack order. with kwallet 6.22.0-1, the first grabbing of PAM_AUTHTOK has to happen right after successful authentication (auth stack/phase), something like:

auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok

auth       [default=die]               pam_faillock.so      authfail

auth       optional              pam_kwallet5.so force_run kwalletd=/usr/bin/ksecretd

later in session phase the token has to be transmitted within systemd session:

-session   optional                    pam_systemd.so

session    optional                    pam_kwallet5.so force_run auto_start kwalletd=/usr/bin/ksecretd Arkades (talk) 11:32, 24 January 2026 (UTC)Reply

It seems that setting SSH_ASKPASS_REQUIRE=prefer causes ssh-add autostart to fail on two of my machines. ssh-add did not use ksshaskpass in this instance. I have to set SSH_ASKPASS_REQUIRE=force only for the autostart script. Did I do something wrong? TheBill2001 (talk) 07:37, 12 March 2024 (UTC)Reply

It seems to be a Wayland issue [2]. Need to set DISPLAY environment variable with ssh-agent. TheBill2001 (talk) 07:44, 12 March 2024 (UTC)Reply

Set up KWallet PAM for first! Otherwise you will break a Chrome Storage.

Open Seahorse: Seahorse is a graphical interface for managing encryption keys and passwords.

Locate Chrome/Chromium/Brave Safe Storage and Its Key: In Seahorse, find the "Safe Storage" entry associated with your browser (e.g., Chrome, Chromium, Brave).

Rename the Browser Configuration Folder: Navigate to your home directory and locate the browser's configuration folder. For Chrome, this is typically ~/.config/google-chrome. Rename this folder to something like google-chrome-backup to back up your current profile.

Open a New Instance of Chrome: Launch Chrome again, which will create a new configuration/profile folder automatically.

Close Chrome: After the new instance has been created, close the browser.

Open KWalletManager5: KWalletManager5 is a password manager for Plasma. Open it to manage your wallet.

Replace the Chrome Safe Storage Key: In KWalletManager5, locate the Safe Storage key for Chrome. Replace the existing key with the one you backed up or intend to use.

Remove the New Browser Profile: Delete the newly created ~/.config/google-chrome folder to remove the temporary profile.

Restore the Original Browser Profile: Rename your backup folder (google-chrome-backup) back to google-chrome to restore your original browser profile.

This seems to be the future of secret management for kde. will only leave links for now as nothing is available yet, but at least something will show up on searches.

https://invent.kde.org/plasma/plasma-workspace/-/tree/master/ksecretprompter

https://aur.archlinux.org/packages/oo7-server

18:32, 14 February 2026 (UTC) Gcb (talk) 18:32, 14 February 2026 (UTC)Reply