跳至內容
出自 Arch Linux 中文维基

KDE Wallet Manager 是一個用於管理 KDE Plasma 上的密碼的工具。KWallet子系統提供了訪問和管理兼容KWallet的應用所保存的密碼的功能,同時你也可以用它來保存你自己的密碼。

A wallet (in the KDE's terminology, sometimes called vault or keyring) is an encrypted volume protected by a user-defined password where user and/or software can store secrets (often, credentials when the user checked "Remember the account" in an application). Those vaults can be created and used manually by the user or created and used automatically in the background by some software that integrates with the wallet subsystem (e.g. mail applications or games). Vaults are often decrypted automatically at the user login using a PAM module (see below).

Tips:

  • If you only need to have a wallet available for applications using it, it is suggested to use the default name (i.e. kdewallet) and the same password as the user (for PAM).
  • Wallets are stored as encrypted files using the .kwl extension in the ~/.local/share/kwalletd directory by default.
注意:Since KDE Frameworks 5.97.0 KDE Wallet supports org.freedesktop.secrets DBus API and can now be used by libsecret for storing and retrieving passwords and other secrets using the Secret Service API.

安裝

KDE Wallet is often shipped with the KDE Plasma desktop environment. The wallet subsystem can be manually installed with the kwallet package.

Optionally install the kwalletmanager package for the wallet management tool. This tool can be used to graphically create and manage a KDE Wallet.

配置

登錄時自動解鎖 Kwallet

To unlock KDE Wallet automatically on login, install kwallet-pam for the PAM compatible module. The chosen KWallet password must be the same as the current user password.

注意:
  • kwallet-pamGnuPG keys 不兼容,所以 KDE Wallet 必須使用 blowfish 加密方式。
  • 所選擇的 KWallet 密碼必須與當前 用戶 的密碼相同。
  • KWallet 在帳戶使用自動登錄的時候不會自動解鎖。
  • 要自動解鎖的 wallet 必須要命名為 kdewallet (這是默認的名字)。任何其他名字的 wallet 都不會自動解鎖。
  • 如果桌面環境用的是 KDE, 建議關閉 KDE Wallet settings 裡的 Close when last application stops using it 選項來防止 wallet 在每次被使用(比如獲取WiFi密碼)之後被關閉。
  • 可能需要先把默認創建的 wallet 刪除——即刪除所有已經儲存的密碼條目。
  • 如果 kwallet Migration Assistant在每次登錄之後都要求輸入密碼,請重命名或刪除 ~/.kde4/share/apps/kwallet 文件夾.
提示:替代選項是使用 KWalletManager 然後設置一個空的 Kwallet 密碼, 這樣就可以避免需要輸入密碼來解鎖 wallet。只要在 Change Password.. 的時候把兩個框都留空就可以了。但是這樣的話無法阻止對 wallet 的未授權訪問。 因此非常建議打開 Access Control 裡的 Prompt when an application accesses a wallet 選項來避免未授權訪問。

配置 PAM

下面的幾行必須存在於你使用的 Display Manager 的配置文件裡:

auth            optional        pam_kwallet5.so
session         optional        pam_kwallet5.so auto_start

根據你的情況來編輯 PAM 的配置:

  • SDDM:不需要進行修改,因為 /etc/pam.d/sddm 裡已經寫好了。
  • For LightDM no further edits should be needed because the lines are already present in /etc/pam.d/lightdm and /etc/pam.d/lightdm-autologin.
  • GDM: 修改 /etc/pam.d/gdm-password
  • For greetd edit /etc/pam.d/greetd accordingly.
  • For unlocking on tty login (no display manager, or like greetd-tuigreet), edit /etc/pam.d/login accordingly. You will need to specify the force_run parameter.
/etc/pam.d/login
auth            optional        pam_kwallet5.so
session         optional        pam_kwallet5.so auto_start force_run
/etc/pam.d/greetd
#%PAM-1.0

auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
auth       include      system-local-login
auth       optional     pam_kwallet5.so
account    include      system-local-login
session    include      system-local-login
session    optional     pam_kwallet5.so auto_start force_run

提示與技巧

使用 KDE Wallet 存儲 ssh key passphrases

安裝 ksshaskpass

Set the SSH_ASKPASS environment variable to ksshaskpass and SSH_ASKPASS_REQUIRE to prefer (prefer to use the askpass program instead of the TTY). To set it automatically on each login, create the following environment.d(5) file:

~/.config/environment.d/ssh_askpass.conf
SSH_ASKPASS=/usr/bin/ksshaskpass
SSH_ASKPASS_REQUIRE=prefer

Restart your session (i.e. relogin) so that the environment variables take effect.

The first time you try to use an SSH key, you will get asked for its passphrase. Make sure to check the ''Remember password'' checkbox. Next time, the passphrase will be read from KDE Wallet.

Using the KDE Wallet to store Git credentials

Git can delegate credential handling to a credential helper. By using ksshaskpass as a credential helper, the HTTP/HTTPS and SMTP passwords can be safely stored in the KDE Wallet.

Install the ksshaskpass package.

Configure Git by setting the GIT_ASKPASS environment variable:

~/.config/environment.d/git_askpass.conf
GIT_ASKPASS=/usr/bin/ksshaskpass
提示:If the SSH_ASKPASS environment variable is set to ksshaskpass, then additionally setting GIT_ASKPASS is not required.

See gitcredentials(7) for alternatives and more details.

Store GPG key passphrases

Native KDE windows can be used to prompt for GPG key passphrases and save them in KDE Wallet.

Configure gpg-agent to use /usr/bin/pinentry-qt.

Enable the Secret Service interface. There are two ways to do this:

  • Go to System Settings > KDE Wallet and enable Use KWallet for the Secret Service interface.
  • Edit the KDE Wallet configuration file:
~/.config/kwalletrc
[org.freedesktop.secrets]
apiEnabled=true

Close the wallet and reopen it to affect these changes. You can do this using kwalletmanager or by issuing commands to Qt D-Bus directly:

$ qdbus org.kde.kwalletd6 /modules/kwalletd6 closeAllWallets
$ qdbus org.kde.kwalletd6 /modules/kwalletd6 open kdewallet 0 $0

Chrome 和 Chromium 的 KDE Wallet 支持

Chrome/Chromium/Opera 內置了 wallet 支持。在運行 Chromium 的時候加上 --password-store=kwallet 或者 --password-store=detect 參數來啟用它。如果需要永久啟用這個參數,參考Chromium#Making flags persistent.。(設置 CHROMIUM_USER_FLAGS 是無效的。)

Query passwords from the terminal

Instead of storing passwords in plain text files, you can manually add new entries in your wallet and retrieve them with kwallet-query.

For example, if you want to log into the Docker Hub registry with Podman, which supports getting the passwords from stdin with the --password-stdin flag, you can use the following command to login:

$ kwallet-query -r folder_entry wallet_name -f folder_name | podman login docker.io -u dockerhub_username --password-stdin

This way, your password is not stored in any text file and neither is it stored in the terminal history file.

In order to run kwallet-query outside of a graphical session (for instance as part of an unattended backup script), set the QT_QPA_PLATFORM=offscreen environment variable:

$ QT_QPA_PLATFORM=offscreen kwallet-query -r folder_entry wallet_name -f folder_name

Unlocking KWallet automatically in a window manager

To unlock KWallet protected by the login password, it is necessary to start /usr/lib/pam_kwallet_init in the autostart portion of your window manager's configuration file in addition to configuring PAM.

禁用 KWallet

你可以使用以下方法來永久禁用KWallet:

~/.config/kwalletrc
[Wallet]
Enabled=false

Automatic D-Bus activation

Most applications use org.freedesktop.secrets.service D-Bus service. KWallet does not provide a service file for it out of the box.

You can achieve automatic activation by creating such service file:

~/.local/share/dbus-1/services/org.freedesktop.secrets.service
[D-BUS Service]
Name=org.freedesktop.secrets
Exec=/usr/bin/kwalletd6

另見