Who uses blowfish for KWallet, as its the default option?

I use Linux since a few years and just now change my Kwallet store to GPG encrypted.

Why? Because there is no preinstalled GPG program, most people dont use it (apart from mail, and this is poorly very rare) and there is no keypair generated when creating the user account.

A simple:

gpg --quick-generate-key "$USER" rsa4096 &&\
echo "y" | gpg --sign-key "$USER"

would be enough at startup. I think for plasma 6 this should be implemented, so that KWallet can use GPG by default, using a gpg keypair with the username and the keystore named “kdewallet” by default.

Would there be any problems with such an implementation? And where would this be implemented so that every distro will use it by default?

Also, do you know if there is a good option to convert a Blowfish wallet to GPG?



Weird, I created a GPG keypair but in kdewalletmanager it doesnt show up.

I see that the certificate needs to have some trust level or be verified. I did that using another PGP key (which makes little sense as this one is unverified then, or locally generated?) and still the key is not showing up.

The “kleopatra” key I created for verifying etc shows up a an option, but it uses a different password thus it makes no sense for KWallet as It cant unlock the wallet.

The Arch Wiki entry explained the problems. That was the reason why I never switched.

It only works if:

  • Blowfish
  • named kdewallet
  • not with fingerprint etc.

I think fingerprint is fixed in Plasma 6? Not sure about the rest, but an encrypted password storage doesnt really seem important if its always open and with LUKS or systemd-homed.

Edit: I also broke autounlock, even though the requirements where met, as Plasma for some reason now creates a wallet named “Default keychain” and created an empty one. Going to systemsettings and setting my old one as default fixed it again…

IMHO there’s not much value further strengthening up KWallet’s encryption. An attacker doesn’t need to decrypt the storage at all. It just adds itself to the “Auto Allow” list in ~/.config/kwalletrc and use the API to read everything:

Until this is fixed, you may as well use a plaintext store.

KWallet is one of the fist things to get turned off.