Intro
Let’s start off by saying that I am aware this may not be the best security practice. If someone is to break into your active KDE/Plasma session, they may be able to extract passphrases from your unlocked kwallet.
That said, it can also be very convenient to store your credentials in kwallet. Considering I use LUKS encryption on my device, and my kwallet itself is encrypted too, I don’t see using kwallet as too big a risk. After all, other desktop environments and operating systems use similar systems.
The package that makes it all possible
There is one package required to achieve the described functionality: kwalletcli.
You can install this package through your package manager. On most distributions this
package is available in the default repositories. For arch, you’ll need to install the
package through the AUR
(Maintained by yours truly).
You may need to separately install pinentry-qt as well.
Globally configuring pinentry-qt
To globally configure pinentry-qt to be used, create a file at
~/.config/environment.d/99-agents.conf with the following content:
PINENTRY=pinentry-qt
If ~/.config/environment.d does not yet exist, create the directory
Using kwalletcli with SSH
To use kwalletcli with SSH, we’ll need to configure a few things.
Note: on OpenSUSE /usr/bin/ksshaskpass should be changed to
/usr/libexec/ssh/ksshaskpass.
Before we start creating scripts and configuration files, ensure all required directories have been created:
mkdir -vp ~/.local/bin \
~/.config/autostart \
~/.config/plasma-workspace/env \
~/.config/plasma-workspace/shutdown
Create a script to load the SSH key to your kwallet at the start of your desktop session.
Because kwallet will be used to supply the passphrase, this means your SSH key is always
available when using the ssh command.
Create the script in ~/.local/bin/ssh-add.sh:
#!/usr/bin/env bash
SSH_ASKPASS=/usr/bin/ksshaskpass
export SSH_ASKPASS
ssh-add ~/.ssh/id_ed25519
(This assumes your SSH key is located at ~/.ssh/id_ed25519)
Then create a .desktop file to tell plasma to load above script when your session
is started in ~/.config/autostart/ssh-add.sh.desktop:
[Desktop Entry]
Exec=/home/<username>/.local/bin/ssh-add.sh
Icon=dialog-scripts
Name=ssh-add.sh
Type=Application
X-KDE-AutostartScript=true
Be sure to replace <username> with your own username.
Configure ssh askpass in /etc/profile.d/ksshaskpass.sh:
#!/usr/bin/env bash
SSH_ASKPASS=/usr/bin/ksshaskpass
Configure the SSH agent to start on login in ~/.config/plasma-workspace/env/ssh-agent-startup.sh:
#!/usr/bin/env bash
[ -n "$SSH_AGENT_PID" ] || eval "$(ssh-agent -s)"
SSH_ASKPASS=/usr/bin/ksshaskpass
export SSH_ASKPASS
Also configure the SSH agent to stop on shutdown in
~/.config/plasma-workspace/shutdown/ssh-agent-shutdown.sh:
#!/usr/bin/env bash
[ -z "$SSH_AGENT_PID" ] || eval "$(ssh-agent -k)"
Lastly, mark all created files as executable:
sudo chmod 755 /etc/profile.d/ksshaskpass.sh
chmod 755 ~/.local/bin/ssh-add.sh
chmod 755 ~/.config/plasma-workspace/env/ssh-agent-startup.sh
chmod 755 ~/.config/plasma-workspace/shutdown/ssh-agent-shutdown.sh
And you’re all done! Next time you log in, you will be prompted for your SSH key passphrase (due to the ssh-add desktop file and script), and at this prompt you will be asked to store the password in kwallet. If you select this option, you will not be asked again in the future.
Using kwalletcli with GPG keys
Configuring GPG to use kwalletcli is significantly less work.
Create or edit the file ~/.gnupg/gpg-agent.conf and ensure the following line is present:
pinentry-program /usr/bin/pinentry-kwallet
Then restart your GPG agent:
systemctl --user restart gpg-agent
Further reading
Now that GPG passphrases are easily entered, it may be nice to set up your git to automatically sign your commits. GitLab has excellent documentation on configuring this