Blocked for months trying to setup KWallet autologin from LUKS password

I tried and tried and tried so many times to make this work,

It works with regular login but not LUKS, in that case it still asks for password on login

One weird thing is for some reason I do not have the “pam_systemd_loadkey.so” file on my computer

Attempted many solutions, I am honestly starting to get mad

This is my full report on all the thing I tried :

PAM config to unlock KWallet on login

To automatically unlock KWallet on login, you need to edit the PAM configuration file for your login manager. The password for your user account and KWallet must match for this to work.

The changes are safe as the optional flag in both PAM entries means that even if KWallet fails for any reason, it won’t block your login.

Requirements, CF wiki. archlinux .org/title/KDE_Wallet:

  • :white_check_mark: The wallet must be named kdewallet (default name) and must use the standard blowfish encryption. It does not unlock any other wallet(s).
    • kwallet-pam is not compatible with GnuPG keys, the KDE Wallet must use the standard blowfish encryption.
    • When using autologin, the wallet can only be unlocked if the autologin method saves the password. pam_autologin does, for example.
    • It may be needed to remove the default created wallet first, thus removing all stored entries.
  • :white_check_mark: The wallet cannot be unlocked when using a fingerprint reader to login
  • :white_check_mark: If using KDE, one may want to disable Close when last application stops using it in KDE Wallet settings to prevent the wallet from being closed after each usage (Wi-Fi-passphrase unlock, etc.).

:white_check_mark: Ensure libpam-systemd is installed

# Install the module
sudo apt install systemd signon-kwallet-extension
sudo apt install --reinstall libpam-systemd
echo "> ✅ Installed systemd libpam-systemd signon-kwallet-extension"
echo "Systemd version: $(systemd --version)"
echo "SystemCTL info: $(systemctl --version)"

:white_check_mark: Add read-write permissions for group sudo

files=(
    /etc/pam.d/sddm
    /etc/pam.d/sddm-autologin
    /etc/pam.d/login
    /etc/pam.d/system-login
    /etc/pam.d/common-auth
    /etc/pam.d/common-session
    /etc/pam.d/cryptsetup
    /etc/crypttab
    /lib/cryptsetup/scripts/kwallet_pass
    /etc/initramfs-tools/modules
    /etc/systemd/system/sddm.service.d/override.conf
)

for file in "${files[@]}"; do
    if [[ -f $file ]]; then
        sudo chown :sudo $file
        sudo chmod g+rw $file
        echo "Added read-write permissions for group sudo to '$file'"
    else
        echo "File does not exist: '$file'"
    fi
done

:white_check_mark: Enable saving the root password and user password in the systemd keyring:

Enable systemd keyring integration before KWallet authentication

The - means that if pam_systemd_loadkey.so fails for any reason, PAM will continue processing the rest of the authentication stack without treating it as a fatal error.

This is different from the optional keyword which specifies that the module is not required for authentication success. The combination of - and optional makes this module extremely forgiving - it won’t fail the stack if the module itself fails, and it’s not required for successful authentication.

  1. Check if you have either pam_systemd_loadkey.so or pam_gdm.so installed:
# Check for pam_systemd_loadkey.so
if file=$(ls /lib/security/pam_systemd_loadkey.so || ls /lib/x86_64-linux-gnu/security/pam_systemd_loadkey.so || ls /usr/lib/security/pam_systemd_loadkey.so || ls /usr/lib/x86_64-linux-gnu/security/pam_systemd_loadkey.so 2>/dev/null); then
    echo "> ✅ Found pam_systemd_loadkey.so at: $file"
else
    echo "> ❌ pam_systemd_loadkey.so not found"
fi

# Check for pam_gdm.so
if file=$(ls /lib/security/pam_gdm.so || ls /lib/x86_64-linux-gnu/security/pam_gdm.so || ls /usr/lib/security/pam_gdm.so || ls /usr/lib/x86_64-linux-gnu/security/pam_gdm.so 2>/dev/null); then
    echo "> ✅ Found pam_gdm.so at: $file"
else
    echo "> ❌ pam_gdm.so not found"
fi
# Check for pam_systemd_loadkey.so anywhere 
sudo find / -name "pam_systemd_loadkey.so" 2>/dev/null

NB: I only have pam_gdm.so, pam_systemd_loadkey.so was not found

  1. :white_check_mark: Add these lines at the end of the /etc/pam.d/common-auth file:

file:///etc/pam.d/common-auth

# > PAM config to unlock KWallet on login
# Worked for github.com/sddm/sddm/issues/930#issuecomment-2283124126
# -auth       optional     pam_systemd_loadkey.so
-auth       optional     pam_gdm.so
auth       optional     pam_kwallet5.so
  1. :white_check_mark: Add this line at the end of the /etc/pam.d/common-session file:

file:///etc/pam.d/common-session

# > PAM config to unlock KWallet on login
session    optional     pam_kwallet5.so auto_start force_run

:white_check_mark: Add the pam_kwallet5 module to the initramfs modules list to make it available at boot time:

NB: Not sure if this is needed

file:///etc/initramfs-tools/modules

# Check plasma version: is 5.27.10
plasma --version

# Check for pam_kwallet.so => Not needed for plasma 5
# if file=$(ls /lib/security/pam_kwallet.so || ls /lib/x86_64-linux-gnu/security/pam_kwallet.so || ls /usr/lib/security/pam_kwallet.so || ls /usr/lib/x86_64-linux-gnu/security/pam_kwallet.so 2>/dev/null); then
#     echo "Found pam_kwallet.so at: $file"
# else
#     echo "pam_kwallet.so not found"
#     ✅ > pam_kwallet.so not found
# fi

# Check for pam_kwallet5.so
if file=$(ls /lib/security/pam_kwallet5.so || ls /lib/x86_64-linux-gnu/security/pam_kwallet5.so || ls /usr/lib/security/pam_kwallet5.so || ls /usr/lib/x86_64-linux-gnu/security/pam_kwallet5.so 2>/dev/null); then
    echo "Found pam_kwallet5.so at: $file"
else
    echo "pam_kwallet5.so not found"
fi

# Check for pam_gdm.so
if file=$(ls /lib/security/pam_gdm.so || ls /lib/x86_64-linux-gnu/security/pam_gdm.so || ls /usr/lib/security/pam_gdm.so || ls /usr/lib/x86_64-linux-gnu/security/pam_gdm.so 2>/dev/null); then
    echo "Found pam_gdm.so at: $file"
else
    echo "pam_gdm.so not found"
fi
pam_kwallet5
pam_gdm

Then update your initramfs:

sudo update-initramfs -u

Add proper cryptsetup PAM configuration

file:///etc/pam.d/cryptsetup

sudo tee /etc/pam.d/cryptsetup << 'EOF'
# > PAM config to unlock KWallet on login
auth       optional     pam_kwallet5.so
session    optional     pam_kwallet5.so auto_start force_run
EOF

:white_check_mark: Allow SDDM to inherit the system keyring, which is necessary for proper key handling

This should enable autologin to KWallet with LUKS 2 passphrase on login.

CF github .com /sddm/sddm/issues/930

And www.freedesktop .org/software/systemd/man/latest/pam_systemd_loadkey.html

file:///etc/systemd/system/sddm.service.d/override.conf

Modify the SDDM service configuration:

# Create override directory if it doesn't exist
sudo mkdir -p /etc/systemd/system/sddm.service.d/
# Create override file
sudo tee /etc/systemd/system/sddm.service.d/override.conf << 'EOF'
[Service]
KeyringMode=inherit
EOF
# Reload systemd daemon
sudo systemctl daemon-reload
# Restart SDDM
sudo systemctl restart sddm

# ✅ Can check if it worked by running:
systemctl show sddm.service | grep KeyringMode

I believe I tried for 4 hours the first time, and every month I gather enough willpower to try again for 2-3 hours but still I haven’t figured this out…

  1. You don’t need PAM modules in initramfs. They are invoked by SDDM, much later in the boot process.
  2. Your initramfs must be systemd-based. That generally means you need systemd, sd-vconsole and sd-encrypt hooks in mkinitcpio, but I’m not sure how this is configured in your distro.