Skip to content

Mounting on login with KDE Wallet

Jump to bottom Edit New page
benedictjohannes edited this page Jan 3, 2022 · 2 revisions

To automatically mount an encrypted folder at user login, KDE users can use KDE Wallet to store gocryptfs passwords. There are several steps to achieve this.

Prerequisites

KDE Wallet and KDE Wallet Manager (GUI) should be installed when KDE Desktop is installed. To use KDE Wallet, the KDE Wallet subsystem should be enabled and the user should be logging in to the KDE desktop.

Unlock KDE Wallet automatically at login

The PAM unlocks only the default kdewallet on login, and the wallet password should be set identical to the user login. Note that only login by using password (passing the wallet secret) can unlock the wallet, not by biometrics / autologin.

To enable unlock of KDE Wallet, these lines should be present in the relevant PAM settings:

auth            optional        pam_kwallet5.so
session         optional        pam_kwallet5.so auto_start

The relevant file depends on the login manager used, such as:

  • /etc/pam.d/sddm for SDDM
  • /etc/pam.d/gdm-password for GDM
  • /etc/pam.d/lightdm for LightDM
  • /etc/pam.d/login (the session part should be set to pam_kwallet5.so auto_start force_run)

The files might differ for each distribution, consult the distribution's help like KDE Wallet on Arch Linux Wiki.

Storing the gocryptfs password

Store the password (key gocryptfspass in (default) folder Passwords is used in this example):

  • Using KDE Wallet manager (kwalletmanager):
    • Expand the relevant folder (Passwords)
    • Under the folder, right click on Passwords and select New
    • Enter the label (gocryptfspass)
    • Click Show Contents and type your gocryptfs password
    • Click Save
  • Using CLI:
    echo "YOUR_PASSWORD_HERE" | kwallet-query -f Passwords -w gocryptfspass kdewallet

Now the stored password can be accessed using

kwallet-query -f Passwords -r gocryptfspass

Mounting with password from KDE Wallet

The password can be used with the --extpass option:

gocryptfs --extpass="kwallet-query -f Passwords -r gocryptfspass kdewallet" /path/to/encyrpted/folder /path/to/plain/folder

Mounting on login

To have the mounted folder start when logging into KDE, create the a desktop file in autostart folder ~/.config/autostart (like ~/.config/autostart/mount-gocryptfs.desktop) with the previous command:

[Desktop Entry]
Exec=gocryptfs --extpass="kwallet-query -f Passwords -r gocryptfspass kdewallet" /path/to/encyrpted/folder /path/to/plain/folder
Name=mountgocryptfs
Type=Application
Add a custom footer
Add a custom sidebar
Clone this wiki locally