Computer users have a very large amount of data to manage, some of which is sensitive. In particular, you will typically have many passwords to manage. Remembering them is difficult and writing them down on paper or in a text file is insecure.
KWallet provides a secure way to store passwords and other secret information, allowing the user to remember only a single password instead of numerous different passwords and credentials.
Wallet is a password storage. It is usually sufficient to have just one wallet secured by one master password but you can organize your large collection of passwords by wallets using KWallet Manager.
By default a wallet named kdewallet will be used to store your passwords. This wallet is secured by your login password and will automatically be opened at login, if kwallet_pam is installed and properly configured. On certain distros (e.g. Archlinux) kwallet_pam is not installed by default
Other wallets have to be opened manually.
There are two ways to create a new wallet:
Use the menu item → in the KWallet Manager
Use the button in the System Settings module KDE Wallet
If you have not created a wallet yet, see section Using KWallet.
KWallet offers two different ways to store your data:
- Blowfish encryption
KWallet saves this sensitive data for you in a strongly encrypted file, accessible by all applications, and protected with a master password that you define.
The data is encrypted with the Blowfish symmetric block cipher algorithm, the algorithm key is derived from the SHA-1 hash of the password, with a key length of 156 bits (20 bytes). The data into the wallet file is also hashed with SHA-1 and checked before the data is deciphered and accessible by the applications.
- GPG encryption
GnuPG offers some very strong encryption algorithms and uses passphrase protected long keys.
The screenshots above show the case where an encryption capable GPG key was not found on the system. Please use applications like KGpg or Kleopatra to create a key and try again.
If a GPG key was found you will get the next dialog where you can select a key to use for your new wallet.
KWallet will now use GPG when storing wallets and when opening them. The passphrase dialog only shows once. Even if the wallet is closed after initial open, subsequent opening will occur silently during the same session.
The same session can handle simultaneously both file formats. KWallet will transparently detect the file format and load the correct backend to handle it.
To use your sensitive data from your classic wallet with the new backend follow these steps:
Create a new GPG based wallet
Launch KWallet Manager using KRunner (Alt+F2) or other application launcher (menu) and select your old wallet. Then choose → to create an archive file with your sensitive data.
Select the new GPG based wallet then choose → and select the file you just saved.
Go to System Settings → and select the newly created GPG based wallet from the Select wallet to use as default combobox.
Alternatively use but in that case you have to select the
.kwlfile corresponding to your old wallet, located in the folder
qtpaths --paths GenericDataLocation.
KWallet supports multiple wallets, so for the most secure operation, you should use one wallet for local passwords, and another for network passwords and form data. You can configure this behavior in the KWallet System Settings module, however the default setting is to store everything in one wallet named kdewallet.
A wallet is by default closed, which means that you must supply a password to open it. Once the wallet is opened, the contents can be read by any user process, so this may be a security issue.