Skip to content

Latest commit

 

History

History
285 lines (175 loc) · 10.2 KB

kwallet.md

File metadata and controls

285 lines (175 loc) · 10.2 KB

KDE Wallet

Note

This guide assumes that you are using the KDE Plasma desktop environment.

Description

KDE Wallet Manager is a tool to manage passwords on the KDE Plasma system. By using the KWallet subsystem it not only allows you to keep your own secrets but also to access and manage the passwords of every application that integrates with KWallet.

Directory

References

Setup

Description

This details how to create and setup a KDE Wallet and use it by default.

References

Initial Setup

  1. Install the kwalletmanager package using yay to easily configure our KDE Wallet(s).

    [!NOTE]
    This will add a KDE Wallet section to our System Settings application.

  2. Launch the System Settings application.

  3. Under the Security & Privacy group, expand the KDE Wallet section.

  4. In the KDE Wallet page, in the Wallet Preferences tab, check the Enable the KDE wallet subsystem box.

  5. Under the Automatic Wallet Selection section, click the New button corresponding to the Select wallet to use as default option.

  6. Enter a name for the wallet (i.e. kdewallet) and click the OK button.

    [!NOTE]
    If you wish to enable wallet auto unlock, you are required to set its name to kdewallet.

  7. Select one of the two KDE Wallet type options:

    • Classic, blowfish encrypted file (Recommended)
    • Use GPG encryption, for better protection

    Click the Next button.

  8. If you choose to use Blowfish, enter a password but with some considerations depending on your desktop autologin and wallet auto unlock choice:

    • To enable desktop autologin and wallet auto unlock: Set an empty password
    • To enable desktop autologin but not wallet auto unlock: Set any secure password
    • To enable wallet auto unlock but not desktop autologin: Set the same password as your user password

    Click the OK button.

  9. If you chose to use GPG, select an existing trusted key in the list. If none exists, create a new GPG key and return to this step.

  10. Click the Finish button.

  11. If prompted to enter the passphrase of your chosen GPG key, enter it and select the OK button.

  12. Back in the Automatic Wallet Selection section, expand the Select wallet to use as default dropdown and select the wallet you just created.

  13. Under the Secret Service section, check the Use KWallet for the Secret Service Interface box.

  14. (Optional) Navigate to the Access Control tab and check the Prompt when an application accesses a wallet box.

  15. Click the Apply button at the bottom right.

  16. If prompted to authenticate, enter your user credentials and click the OK button.

SSH Passphrase

This describes how to use KDE Wallet to store SSH key passphrases:

  1. Install the ksshaskpass package using yay.

  2. Create an environment.d directory if it does not yet exist:

    mkdir -p ~/.config/environment.d

  3. Create an environment.d file named ssh_askpass.conf:

    nano ~/.config/environment.d/ssh_askpass.conf

    Add the following values to the file and save it:

    SSH_ASKPASS=/usr/bin/ksshaskpass
SSH_ASKPASS_REQUIRE=prefer

  4. (Optional) As it is, this will utilise the KDE Wallet to get the passphrase for the SSH key. However, this is also true even when the user has no access to a graphical session (i.e. in a remote SSH session).

    To solve this, add the following logic to your default shell profile (i.e. fish):

    set -x SSH_ASKPASS_REQUIRE (set -q SSH_CONNECTION; and not set -q DISPLAY; and echo never; or echo prefer)

    If your default shell profile is bash, add the following line instead:

    export SSH_ASKPASS_REQUIRE=$(if [[ -n ${SSH_CONNECTION} && -z ${DISPLAY} ]]; then echo "never"; else echo "prefer"; fi)

    [!IMPORTANT]
    This logic will need to be reimplemented and adapted if the user uses a different default shell than any of the earlier examples (i.e. zsh).

    This sets the value of SSH_ASKPASS_REQUIRE to never when the user is logged in remotely via SSH and does not have access to a graphical session.

GPG Passphrase

This describes how to use KDE Wallet to store GPG key passphrases:

  1. Install the kwalletcli package using yay.

  2. Update the GPG agent configuration file with the following value:

    pinentry-program /usr/bin/pinentry-kwallet

  3. (Optional) As it is, this will utilise the KDE Wallet to get the passphrase for the GPG key. However, this is also true even when the user has no access to a graphical session (i.e. in a remote SSH session).

    To solve this:

    • Write a script to determine the pinentry program to use in your path (i.e. ~/.local/bin/pinentry-auto):

      nano ~/.local/bin/pinentry-auto

      Add the following content to the file and save the script:

      #!/bin/sh
# reference: https://stackoverflow.com/a/77564644

set -eu

GRAPHICAL_PINENTRY=$(which pinentry-kwallet)
TERMINAL_PINENTRY=$(which pinentry-curses)

if [ -z "${SSH_CONNECTION-}" ] && [ -n "${DISPLAY-}" ]; then
    exec "${GRAPHICAL_PINENTRY}" "${@}"
else
    exec "${TERMINAL_PINENTRY}" "${@}"
fi

    • Update the GPG agent configuration file by setting pinentry-program to the script you had written (i.e. ~/.local/bin/pinentry-auto):

      pinentry-program ~/.local/bin/pinentry-auto

    This tells GPG to use the script to determine how to get the GPG passphrase - namely, pinentry-curses when the user is logged in remotely via SSH and does not have access to a graphical session.

Auto Unlock

Important

This guide assumes that you have completed setting up your KDE Wallet.

Description

This details how to set our KDE Wallet to auto unlock upon login.

References

Steps

  1. Ensure the chosen default KDE Wallet must be a wallet named kdewallet as described in the Setup section.

  2. Follow the subsequent steps depending on your wallet type:

    Return to the following step once completed.

  3. Restart the system.

Blowfish

Important

Wallet auto unlock will only work together with desktop autologin if the kdewallet was configured with an empty password or passphrase. If you wish for the wallet to be secured with a password, desktop autologin must be disabled.

  1. Depending on your choice of whether or not your wallet should be secured with a password, enable or disable autologin on your desktop.

  2. Depending on your choice of desktop autologin setting, set the password for the kdewallet wallet:

    • Launch the System Settings application.

    • Under the Security & Privacy group, expand the KDE Wallet section.

    • Click the Launch Wallet Manager button at the bottom right.

    • In the newly opened Wallet Manager window, navigate to the kdewallet wallet if you have multiple wallets.

    • Click the Change Password button on the top right.

    • Set the password to your user password if you have desktop autologin disabled.

    • Alternatively, set the password to an empty password if you have enabled desktop autologin.

    • Click the OK button.

  3. If you are not using desktop autologin and have set the default wallet's password to your user password accordingly, install the kwallet-pam package.

GPG

  1. Set an empty passphrase to the GPG key tied to the kdewallet wallet.

Fix Error with Visual Studio Code

Description

This guide details on how we could solve the You're running in a KDE environment but the OS keyring is not available for encryption. Ensure you have kwallet running. error when launching Visual Studio Code.

References

Steps

  1. Launch the Visual Studio Code application.

  2. Press Ctrl + Shift + P simultaneously and type in runtime in the provided prompt.

  3. Click the Preferences: Configure Runtime Arguments option to open the argv.json file.

  4. Add the following key and value to the very end of the JSON dictionary:

    {
  ...
  ...
  ...
  "password-store": "gnome-libsecret",
}

  5. Restart the Visual Studio Code application and verify that the error is no longer present.