Taming KDEwallet

On opensuse forums, I often see complaints about KDEwallet (or “kwallet” for short).  It can be annoying at times.  In this post, I’ll indicate ways of keeping it under control.

While this is oriented toward opensuse, it should also apply to other distros with one caveat.  In opensuse, some of the applications have their settings and configuration under the directory “$HOME/.kde4”.  For other distros, it is more typical to use “$HOME/.kde” (without that final “4”).  So just adjust my suggestions accordingly.

Starting with Leap 42.1 (and with Tumbleweed), opensuse now supports Plasma 5.  And Plasma 5 keeps its configuration under “$HOME/.config” and under “$HOME/.local”.  But there remain some older applications with configuration in the old location.

To further complicate things, there are now two versions of “kwallet”.  I’ll call them “kwallet4” for the old version still used by some older software, and “kwallet5” for the newer version (for Plasma 5).  That both wallets are there, and that they might independently prompt you to open the wallet, is part of the confusion.

The post will consist of several sections, mostly independent of one another.

Resetting “kdewallet”

You messed up, and now wish that you had set up kwallet differently.  Here is how to reset it to the original settings.

This is best done when the kwallet software is not running.  My advice would be to logout from KDE.  And then either use CTRL-ALT-F2 to get a virtual terminal, or login to some other desktop (such as “Icewm”) if available.

For “kwallet4:”

cd ~/.kde4/share/config
rm kwallet*
cd ../apps
rm -rf kwallet

For “kwallet5:

cd ~/.config
rm kwallet*
cd ~/.local/share
rm -rf kwalletd

That deletes everything kwallet related, including any saved information (such as email passwords).  Then login to KDE again.  You will be prompted for kwallet settings as needed.

Resetting without losing data

If kwallet is mostly working, but you don’t want the current settings, then it is possible to save the data before you reset.  For that, you will need to start kwalletmanager.  Note that there are two versions of “kwalletmanager”.  One is for “kwallet4” and the other is for “kwallet5”.  You need to run the one that is appropriate for the wallet whose contents you are saving.  If you are doing this to both wallets, you will need to save twice (and use different file names for where to save).

While running “kwalletmanager”, use the option to “save as xml”.  Be warned, that this saves private data in what might be a public file.  Once you have saved, then reset the wallet as indicated above.  Then re-initialize the wallet the way that you now want it.  And then again run “kwalletmanager” to import the xml.

When you are done, you might want to use the “shred” command to destroy the content of the file where you saved the xml.

KDE wallet always migrates

Everytime you login, there is a message saying that your wallet is being migrated.

I have not seen this mentioned recently, so perhaps the bug has been fixed.  If this happens to you, then edit the file “$HOME/.config/kwalletrc” and insert three lines at the beginning of the file (if they are not already there):

--- start of three lines

--- end of three lines

That should solve the migration problem.

Using GPG

I am currently using GPG encryption for both wallets.  And I use the same GPG key for both wallets.  This makes life simpler.

The first time that an application wants to access kwallet, I am prompted for the pass phrase for my GPG key.  And “gpg-agent” remembers that pass phrase.  So if another application wants to open the other wallet, I won’t see a prompt.  It is handled automatically by “gpg-agent”.

If you have never used GPG, then the setup for GPG encryption might be confusing.  Best would be to first run “kgpg” to setup “gpg” and to create a key that you can later use for kwallet encryption.

If you already setup kwallet without GPG encryption, and want to change, then follow the steps for resetting the wallet without losing data.

I am prompted too often for kwallet

Using GPG encryption is one way of solving this problem.  The other way is to use “kwalletmanager” and get into wallet settings.  Look for the boxes on when to close kwallet.  Uncheck all of those boxes.  The result is that kwallet should stay open.  So you should only be prompted once per login.  Well, you might be prompted twice (once for “kwallet4” and once for “kwallet5”), but that should be it until you logout.

I don’t want to use kdewallet

It is possible to disable the kwallet system.  However, that may cause problems with some applications.  The alternative that some people prefer is to use a blank password.  When setting up “kwallet” choose convention encryption (i.e. not GPG).  And then, when prompted for a password, leave the password entry field empty.  You may see a warning that your password is weak.  But it is still accepted.  The effect is that you have an unencrypted kwallet.  And you are never prompted for a password to open kwallet.

WiFi and kdewallet

Some people are particularly annoyed by the prompt for kdewallet, prior to connecting to WiFi.  This usually happens immediately after login, which is why it can be confusing.

The current version of NetworkManager has an alternative for this.  Right-click on the NetworkManager tray icon, and select “Edit connections”.  Then edit the connection that you normally use.

Click on the security tab.  There should be a field for the network key.  It might be already filled in (from the open kwallet).  If not, you will again need to type in the key there.

Toward the right of that field, are two small icons.  One is of an eye.  The second is of a floppy disk.  Sometimes the two are overlayed on top of one another.  If they are overlaid, then maximize the window.  Or unmaximize (if it is already maximized).  The change in size should make the two icons distinct.

Now click on the floppy disk icon.  That allows you to set where the WiFi password is saved.  Set it to be saved unencrypted and shared by other users.  Save the changes.  You should not again be prompted for opening kwallet to connect to that WiFi network.

Note that, with this setting, the key is actually stored in a file readable only by root, and made available to you for network settings based on polkit authentication.  So it isn’t as scary as it might sound.

A separate wallet for local passwords

When you setup kwallet, there’s an option to use a separate wallet for local passwords.

I don’t do that, mostly because it is poorly documented.  However, I have experimented with it.  And, based on my experiments, it looks as if each application specifies whether to use the default wallet or the local wallet.  If you don’t have a separate local wallet, then an application wanting the local wallet will actually use the default wallet.

In my experimenting, I was unable to find an application that wants to access the local wallet.  Every application that I tried, seemed to be using the default wallet.


Tags: , ,

About Neil Rickert

Mathematician and computer scientist who dabbles in cognitive science.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: