Automatically unlock kwallet after KDE/Plasma login on openSUSE Tumbleweed

There’s a reason for the very specific title: It seems this feature is configured a little differently on Tumbleweed than on openSUSE Leap and I haven’t found any up-to-date information on this. So I’m writing this down as a note to myself.

A default Plasma desktop will use kwallet to save passwords for various desktop services (802.11x passwords, Nextcloud/ownCloud logins, SSH key passphrases, etc.). This can get inconvenient when e.g. Nextcloud wants to access the Internet, but the wallet isn’t unlocked yet, so Plasma can’t decrypt the WLAN PSK.

One solution is to:

  • Make your kwallet password the same as your user password
  • Ensure kwallet’s default wallet is called “kwallet” and that it’s the one that contains the keys you want unlocked on login
  • Make sure this wallet is using Blowfish encryption (this will not work in gnupg mode)
  • Install the require PAM modules

The package on openSUSE Tumbleweed is “pam_kwallet”, so:

sudo zypper in pam_kwallet

Log out from your desktop session, log back in and it should immediately work. In the past, you would have had to add the pam modules to /etc/pam.d/common-session or /etc/pam.d/sddm,but this is now done automatically.

The elegance of this is that you can still store more precious passwords in a separate wallet in Wallet Manager (just call that one something other than “kwallet”). That wallet can then be set to decrypt only on demand. This should save a lot of passphrase typing on a typical day.

Leave a Reply

Your email address will not be published.