New GnuPG backend for the KDE Wallet!

Posté le 17 août 2013 @ 01:00 par Valentin

The classical KDE Wallet uses blowfish algorithm to encrypt sensitive data before writing it to disk. The key used for the encryption is a user-defined password that sometimes is even left empty by the user!

GnuPG offers some very strong encryption algorithms and uses passphrase-protected long keys. But I’m not going to talk about GPG here. I’ll rather tell you that I just added a new backend in kwalletd allowing for GPG-encrypted wallets! The code is fully functional and I actually configured my KDE session to use it! So here are the screenshots.



As you can see, I now have a « testgpg » wallet that is selected as the system-default wallet. So what, you’d say? Well, I’d answer, as you can see there’s no apparent difference when using these wallets, and that’s expected behavior. Things changes however when you try to create a new wallet. There are two ways to do that. The usual way is in system settings, where user would click the « New… » button you see in the second screenshot. That will pop-up a wizard that I adjusted to let the user choose between the more secure GPG-backend or the classical, blowfish-based, backend.

After clicking « New… », user is prompted for the new wallet’s name, as usual, then here is the redesigned « new wallet wizard »:

disclaimer: I’m not an english-native, so wording may not be the best in the following screenshots. Feel free to adjust the strings in the sources ;-)




The screenshots above show the case where an encryption capable GPG key was found on the system. If the user do not have such a key, then the last page changes to this:


(the different color comes from the different color-scheme my test user has in it’s kde session)

And that’s all it takes!

If using KWalletManager, the wizard is slightly different (I don’t know why kwalletd uses two code paths for wallet creation, but I choose to keep this original behavior):

  • Choose « File > New wallet… »
  • Enter the new wallet’s name
  • Next, the following wizard will show:



That’s it for this case too!

kwalletd will use GPG when storing wallets and when opening them. The same KDE session can handle simultaneously both file formats. kwalletd will transparently detect the file format and load the correct backend to handle it. So you can do as I did:

  • Create a new GPG-based wallet (using one of the previous described methods)
  • Fire KWalletManager and
    • Select your old wallet then choose « File > Export as XML… » to create an XML file with your sensitive data
    • Select the GPG-based wallet then choose « File > Import XML… », then choose the file you just saved
    • NOTE: « File > Import wallet… » should also work, but in that case you should choose the .kwl file corresponding to your old wallet, located in ~/.kde/share/apps/kwallet
  • Go to System Settings > Account Details > KDE Wallet and select the newly created, GPG-based, wallet from the « select wallet to use as default » combo box
  • gpg-encrypt the XML file to keep a back-up

What about file sizes? Well, on my system, the new GPG-based wallet show a dramatic drop in file size for storing the exact same data:

$ ll
total 80
-rw------- 1 valentin valentin 60664 Aug 15 16:54 kdewallet.kwl
-rw------- 1 valentin valentin 19329 Aug 15 18:56 testgpg.kwl

The performance difference is not noticeable. There’s only a slight lag on first GPG library initialization.

IMPORTANT NOTE: the passphrase dialog only shows once. Even if the wallet is closed after initial open, subsequent opening will occur silently during the same KDE session! That’s great news for those annoyed by the kwallet password prompt in the middle of the KDE session.

Eager to test the code? I’d be glad to hear your feedback, as this code should be thoroughly tested and reviewed before letting it go to master. I’ll soon post a review-request on the official mailing list. The code is available under the kde-runtime’s branch named kwalletd-gpg. The new features are compiled-in only if your system has QGpgme, part of kdepimlibs, which in turn requires gnupg and gpgme.

A final word: those of us who own a FSFE Fellowship Smart Card now have a new cool usage for it!

3 Rétroliens

  1. Ping: My First KDE Contribution and looking for more | A Conservative Techie le 4 septembre 2013
  2. Ping: Jonathan Jesse: My First KDE Contribution and looking for more | le 5 septembre 2013
  3. Ping: Rilasciata la prima beta di KDE 4.12 : NetItaly .info le 9 novembre 2013

15 Commentaires

  1. Beat Wolf
    17 août 2013 à 13:54

    Can this be used without having to retype the password everytime after login? I need it to unlock with the login. As long as it does not i will have to use an empty password, at least that way it works how i want

  2. Valentin
    17 août 2013 à 14:05

    Well, AFAIK GPG asks for a passphrase when unlocking a key, but, however, that passphrase may be empty. So I think it should be doable. Only, your wallet won’t be protected as stoling it along with the GPG key would give full access to it’s contents. But if you set GPG with PAM, then you’ll never be bothered againg by the kwallet password prompt and your wallet will be kept securely. Could you please post an update if you manage to set-up it that way?

  3. eliasp
    17 août 2013 à 15:18

    Simply use ‘keychain’ ( to accomplish this. It also supports SSH.

  4. Jonathan Jesse
    17 août 2013 à 16:19


    I saw this through and would like to help out with the text that was changed as there are some grammar issues. I saw you posted that English is not your native language and I would like to help fix some small issues. However I’m new to doing this and if you can point me to where the text for the screen shots is stored I would be more than willing to fix them and some how provide them to you.

    I did a git clone git:// of the source, just need to find the text.

    Please email me: so I can help

  5. Silver
    17 août 2013 à 20:47

    Well, I’d like the possibility to close KWallet during the KDE session as my computer is quite a public one and used by multiple people.

  6. Valentin
    17 août 2013 à 22:05

    Well, in that case you should stick with the blowfish backend. Or, if you switch to GPG, you may use a smart card that you take with you when leaving your computer.

  7. xxxzz
    18 août 2013 à 11:28

    Hi, why not AES encryption is used?

  8. Valentin
    18 août 2013 à 11:53

    Well, that what wasn’t needed, I think. Feel free to add it, the code now allows new backend persistence handlers.

  9. mhogo mchungu
    18 août 2013 à 13:33

    will look into your new functionality to see if i can get anything from it.

    i am developing a kwallet like functionality for people who want to store credentials but do not want to tie themselves to KDE through kwallet or gnome through gnome-keyring and the project page is at:

  10. Valentin
    18 août 2013 à 14:05

    well, this is free software, so feel free to use or modify it as you like. however, it uses KDE libraries – qgpgme and gpgme++.

  11. Fri13
    19 août 2013 à 09:26

    Does this allow user to generate the PGP keys so it is easier to take PGP encryption use in email/file/etc encryption?

  12. Fri13
    19 août 2013 à 09:33

    « Well, I’d like the possibility to close KWallet during the KDE session as my computer is quite a public one and used by multiple people. »

    Why not use different accounts? You leave and you just lock out the session and others can open a shared account.

  13. Valentin
    19 août 2013 à 10:10

    user must setup gpg prior to activating kwallet gpg backend.

  14. Matija „hook“ Šuklje
    26 août 2013 à 15:23

    Woooooot, FSFE’s Fellowship card to unlock KWallet — that’s the awesomest piece of news I heard all day!

    You rock! \o/

  15. Valentin
    4 septembre 2013 à 22:56

    OK, the code now landed in kde-runtime master branch. You’ll have no excuse for not testing it :)

Laisser un commentaire

Connexion OpenID

Connexion Standard