I tried and tried and tried so many times to make this work,
It works with regular login but not LUKS, in that case it still asks for password on login
One weird thing is for some reason I do not have the “pam_systemd_loadkey.so” file on my computer
Attempted many solutions, I am honestly starting to get mad
This is my full report on all the thing I tried :
PAM config to unlock KWallet on login
To automatically unlock KWallet on login, you need to edit the PAM configuration file for your login manager. The password for your user account and KWallet must match for this to work.
The changes are safe as the optional flag in both PAM entries means that even if KWallet fails for any reason, it won’t block your login.
Requirements, CF wiki. archlinux .org/title/KDE_Wallet:
- The wallet must be named kdewallet (default name) and must use the standard blowfish encryption. It does not unlock any other wallet(s).
- kwallet-pam is not compatible with GnuPG keys, the KDE Wallet must use the standard blowfish encryption.
- When using autologin, the wallet can only be unlocked if the autologin method saves the password. pam_autologin does, for example.
- It may be needed to remove the default created wallet first, thus removing all stored entries.
- The wallet cannot be unlocked when using a fingerprint reader to login
- If using KDE, one may want to disable Close when last application stops using it in KDE Wallet settings to prevent the wallet from being closed after each usage (Wi-Fi-passphrase unlock, etc.).
Ensure libpam-systemd is installed
# Install the module
sudo apt install systemd signon-kwallet-extension
sudo apt install --reinstall libpam-systemd
echo "> ✅ Installed systemd libpam-systemd signon-kwallet-extension"
echo "Systemd version: $(systemd --version)"
echo "SystemCTL info: $(systemctl --version)"
Add read-write permissions for group sudo
files=(
/etc/pam.d/sddm
/etc/pam.d/sddm-autologin
/etc/pam.d/login
/etc/pam.d/system-login
/etc/pam.d/common-auth
/etc/pam.d/common-session
/etc/pam.d/cryptsetup
/etc/crypttab
/lib/cryptsetup/scripts/kwallet_pass
/etc/initramfs-tools/modules
/etc/systemd/system/sddm.service.d/override.conf
)
for file in "${files[@]}"; do
if [[ -f $file ]]; then
sudo chown :sudo $file
sudo chmod g+rw $file
echo "Added read-write permissions for group sudo to '$file'"
else
echo "File does not exist: '$file'"
fi
done
Enable saving the root password and user password in the systemd keyring:
Enable systemd keyring integration before KWallet authentication
The - means that if pam_systemd_loadkey.so fails for any reason, PAM will continue processing the rest of the authentication stack without treating it as a fatal error.
This is different from the optional keyword which specifies that the module is not required for authentication success. The combination of - and optional makes this module extremely forgiving - it won’t fail the stack if the module itself fails, and it’s not required for successful authentication.
- Check if you have either pam_systemd_loadkey.so or pam_gdm.so installed:
# Check for pam_systemd_loadkey.so
if file=$(ls /lib/security/pam_systemd_loadkey.so || ls /lib/x86_64-linux-gnu/security/pam_systemd_loadkey.so || ls /usr/lib/security/pam_systemd_loadkey.so || ls /usr/lib/x86_64-linux-gnu/security/pam_systemd_loadkey.so 2>/dev/null); then
echo "> ✅ Found pam_systemd_loadkey.so at: $file"
else
echo "> ❌ pam_systemd_loadkey.so not found"
fi
# Check for pam_gdm.so
if file=$(ls /lib/security/pam_gdm.so || ls /lib/x86_64-linux-gnu/security/pam_gdm.so || ls /usr/lib/security/pam_gdm.so || ls /usr/lib/x86_64-linux-gnu/security/pam_gdm.so 2>/dev/null); then
echo "> ✅ Found pam_gdm.so at: $file"
else
echo "> ❌ pam_gdm.so not found"
fi
# Check for pam_systemd_loadkey.so anywhere
sudo find / -name "pam_systemd_loadkey.so" 2>/dev/null
NB: I only have pam_gdm.so, pam_systemd_loadkey.so was not found
- Add these lines at the end of the
/etc/pam.d/common-auth
file:
file:///etc/pam.d/common-auth
# > PAM config to unlock KWallet on login
# Worked for github.com/sddm/sddm/issues/930#issuecomment-2283124126
# -auth optional pam_systemd_loadkey.so
-auth optional pam_gdm.so
auth optional pam_kwallet5.so
- Add this line at the end of the
/etc/pam.d/common-session
file:
file:///etc/pam.d/common-session
# > PAM config to unlock KWallet on login
session optional pam_kwallet5.so auto_start force_run
Add the pam_kwallet5 module to the initramfs modules list to make it available at boot time:
NB: Not sure if this is needed
file:///etc/initramfs-tools/modules
# Check plasma version: is 5.27.10
plasma --version
# Check for pam_kwallet.so => Not needed for plasma 5
# if file=$(ls /lib/security/pam_kwallet.so || ls /lib/x86_64-linux-gnu/security/pam_kwallet.so || ls /usr/lib/security/pam_kwallet.so || ls /usr/lib/x86_64-linux-gnu/security/pam_kwallet.so 2>/dev/null); then
# echo "Found pam_kwallet.so at: $file"
# else
# echo "pam_kwallet.so not found"
# ✅ > pam_kwallet.so not found
# fi
# Check for pam_kwallet5.so
if file=$(ls /lib/security/pam_kwallet5.so || ls /lib/x86_64-linux-gnu/security/pam_kwallet5.so || ls /usr/lib/security/pam_kwallet5.so || ls /usr/lib/x86_64-linux-gnu/security/pam_kwallet5.so 2>/dev/null); then
echo "Found pam_kwallet5.so at: $file"
else
echo "pam_kwallet5.so not found"
fi
# Check for pam_gdm.so
if file=$(ls /lib/security/pam_gdm.so || ls /lib/x86_64-linux-gnu/security/pam_gdm.so || ls /usr/lib/security/pam_gdm.so || ls /usr/lib/x86_64-linux-gnu/security/pam_gdm.so 2>/dev/null); then
echo "Found pam_gdm.so at: $file"
else
echo "pam_gdm.so not found"
fi
pam_kwallet5
pam_gdm
Then update your initramfs:
sudo update-initramfs -u
Add proper cryptsetup PAM configuration
file:///etc/pam.d/cryptsetup
sudo tee /etc/pam.d/cryptsetup << 'EOF'
# > PAM config to unlock KWallet on login
auth optional pam_kwallet5.so
session optional pam_kwallet5.so auto_start force_run
EOF
Allow SDDM to inherit the system keyring, which is necessary for proper key handling
This should enable autologin to KWallet with LUKS 2 passphrase on login.
CF github .com /sddm/sddm/issues/930
And www.freedesktop .org/software/systemd/man/latest/pam_systemd_loadkey.html
file:///etc/systemd/system/sddm.service.d/override.conf
Modify the SDDM service configuration:
# Create override directory if it doesn't exist
sudo mkdir -p /etc/systemd/system/sddm.service.d/
# Create override file
sudo tee /etc/systemd/system/sddm.service.d/override.conf << 'EOF'
[Service]
KeyringMode=inherit
EOF
# Reload systemd daemon
sudo systemctl daemon-reload
# Restart SDDM
sudo systemctl restart sddm
# ✅ Can check if it worked by running:
systemctl show sddm.service | grep KeyringMode