Fact-checked by Grok 2 weeks ago

KWallet

KWallet is a secure credential storage framework developed by the project for the desktop environment, providing encrypted storage for passwords, keys, and other sensitive data across KDE applications and services. It functions as a centralized , allowing users to store secrets such as passphrases, SSH keys, credentials, and application-specific passwords in protected wallet files, typically located in ~/.local/share/kwalletd as .kwl files encrypted with algorithms like Blowfish. The framework consists of three main components: the core KWallet interface for password storage, the kwalletd daemon that exposes the KWallet API and proxies requests to providers, and ksecretd, which implements the standardized org.freedesktop.secrets API for broader compatibility with applications since KDE Frameworks 5.97.0. serves as the primary graphical tool for users to create, access, and manage these wallets, integrating seamlessly with to handle credential prompts and automate storage for integrated software like web browsers, email clients, and network tools. It supports features such as automatic unlocking upon login via integration (using the kwallet-pam module when the wallet password matches the user login password) and migration to third-party backends for enhanced flexibility. As an open-source solution written primarily in C++, KWallet emphasizes by keeping sensitive data off unencrypted disks and requiring user authentication for access, though it can be configured to disable certain components like ksecretd if needed. It acts as the KDE counterpart to but remains incompatible with it, focusing on the KDE ecosystem while adhering to the Freedesktop standard for interoperability where possible. Actively maintained by the with contributions from numerous developers, the latest stable release of KWalletManager as of November 2025 is version 25.08.3, ensuring ongoing support for modern versions and updates.

Overview and History

Introduction

KWallet is a free and open-source password management framework developed by the community for operating systems, with a primary focus on desktop environments. It provides a secure system for storing sensitive credentials, such as , usernames, and form data, organized into encrypted wallets that users protect with a single master . This design enables efficient management of multiple secrets while minimizing the need to remember individual for various applications. In KWallet, wallets function as secure containers for grouping related secrets, allowing users to create multiple wallets for better organization—for instance, separating local application passwords from network credentials. The default wallet, named "kdewallet," is specifically tailored for use by applications and can be automatically unlocked at login on supported distributions via the kwallet-pam integration. For encryption, KWallet employs the Blowfish algorithm with a 160-bit key and hashing by default, or GPG encryption using passphrase-protected keys for enhanced security when a GPG keypair is available. Applications access KWallet's stored data through its , which triggers an unlock if the relevant wallet is locked, ensuring controlled retrieval of credentials. As of November 2025, KWallet is fully integrated into 6.x as part of the , with ongoing development emphasizing a transition to the Freedesktop to serve as a and improve with other desktop environments.

Development and Releases

KWallet originated in as part of 's initiative to provide a centralized, secure storage system for passwords and sensitive data, aiming to standardize and replace scattered password handling across KDE applications. The project has been primarily maintained by the development team, with significant contributions from volunteers in the open-source community. Major releases aligned with KDE's broader version cycles, incorporating enhancements for security and integration. In the KDE 4 series, starting with the 2008 initial release, KWallet gained a GnuPG backend in version 4.12 (2013), enabling asymmetric encryption for stored credentials using user GPG keys. KDE Frameworks 5.97 in August 2022 introduced support for the standard Secret Service DBus API for better interoperability with desktop applications. Plasma 5.20 and later versions from 2020 onward enhanced Wayland compatibility, ensuring reliable operation in Wayland sessions through updated daemon handling and session management. With Plasma 6.0's release in February 2024, KWallet incorporated updates from KDE Gear 24.02, focusing on modern Qt6 support; this was followed by bug fixes in Plasma 6.2.5, released on December 31, 2024. In 2025, developers initiated discussions on migrating from KWallet to the cross-desktop standard, as outlined in an April blog post by Marco Martin, including the development of compatibility client applications; however, no full deprecation of KWallet has occurred as of November 2025. KWallet is licensed under the GNU General Public License version 2 or later, with its source code hosted in the Git repository at invent.kde.org/frameworks/kwallet.

Features and Integration

Core Functionality

KWallet organizes secrets into logical groupings called wallets, where each wallet serves a specific purpose, such as the default "kdewallet" for storing desktop settings and general application credentials, or dedicated wallets like "" for browser-related data. These wallets support various entry types, including simple text-based passwords, key-value maps for structured data, and blobs for application-specific content, enabling flexible storage of diverse secrets. Applications access and manage these secrets through the KWallet API, which communicates with the kwalletd daemon service to handle storage and retrieval requests securely over D-Bus. For user convenience, the kwallet-pam module integrates with the Pluggable Authentication Modules (PAM) system during login, automatically unlocking the default wallet if its password matches the user's login credentials, thus enabling seamless access without additional prompts after authentication. This PAM-based autounlock extends to cross-application usage, allowing diverse KDE components and third-party apps to query shared secrets, such as network credentials or authentication tokens, without redundant password entry. Core features enhance usability within the ecosystem, including auto-fill functionality for web forms and login credentials in applications like , which retrieves stored data to populate fields automatically. Wallets support export and import operations in the encrypted via KWalletManager, facilitating secure transfer or recovery of secrets between systems. Additionally, kwalletmanager5 provides backup capabilities by allowing users to generate encrypted archives of entire wallets or specific entries, ensuring data preservation against loss. Integration with Plasma desktop components is native and extensive, exemplified by NetworkManager's use of KWallet to persistently store WiFi passwords and connection secrets, enabling automatic reconnection to known networks. Similarly, KMail leverages KWallet for managing email account passwords and related form data, streamlining authentication for mail transport protocols like POP3 or IMAP. During the KDE Plasma 6 series, particularly from version 6.3 (February 2025) onward, KWallet includes an enhanced compatibility mode for the Freedesktop.org Secret Service API, which can proxy requests to alternative providers like GNOME Keyring, permitting hybrid usage and gradual transitions without full data migration.

Browser and Application Integration

KWallet provides integration with various web browsers to securely store and retrieve passwords, leveraging its DBus-based interface for password management. Chromium-based browsers such as , , and support KWallet through command-line flags that specify it as the password store backend. Users can launch these browsers with the --password-store=kwallet5 or --password-store=kwallet6 flag (the latter for 6 environments) to enable direct access to KWallet for form data and credentials, or use --password-store=detect for automatic detection of available backends. These flags ensure that passwords saved in the browser are encrypted and stored within KWallet's secure containers, with persistent configuration achievable by adding them to the browser's desktop file or shortcut properties. KDE's native browsers, and , offer seamless integration with KWallet without additional setup, as they are built on and KDE Frameworks. includes a built-in that can store credentials directly in KWallet's encrypted databases, supporting both encrypted and non-encrypted backends for flexibility. Similarly, utilizes KWallet for handling web form passwords and , providing native prompts for unlocking the wallet when needed. For Mozilla , official extension support ended after version 57 in 2017 due to changes in the browser's extension , but legacy extensions like the KDE Wallet Password Integration addon remain available for older profiles or via manual installation. Advanced users can achieve integration post-v57 through manual bridging, where Firefox's password storage is scripted to interact with KWallet's via custom tools or environment configurations, though this requires technical setup and is not officially supported. Beyond browsers, KWallet integrates with third-party applications through the DBus interface, a standard introduced in KDE Frameworks 5.97 for cross-desktop compatibility. This allows non-KDE applications, such as software running on , to access KWallet as a keyring provider via the org.freedesktop.secrets service, enabled by creating a DBus service file at ~/.local/share/dbus-1/services/org.freedesktop.secrets.service pointing to kwalletd6. A in KWallet facilitates this bridging, ensuring that applications expecting functionality can store and retrieve secrets without modification. Setup for broader application integration involves environment variables and PAM modules for automation. For custom or command-line applications, variables like SSH_ASKPASS=/usr/bin/ksshaskpass and GIT_ASKPASS=/usr/bin/ksshaskpass direct tools such as SSH and Git to use KWallet-compatible prompts for passphrase entry. Autounlocking on login in the SDDM display manager is configured via the kwallet-pam package (using pam_kwallet6.so in Plasma 6), adding lines like auth optional pam_kwallet6.so and session optional pam_kwallet6.so auto_start to PAM configuration files such as /etc/pam.d/sddm. The KDEWALLET_INTERFACE environment variable can further customize the DBus interface for specific applications, allowing selection between legacy KWallet and Secret Service modes. As of (October 2025), the transition to the continues, with tools like a dedicated client application enhancing support for multiple providers. This evolution maintains backward compatibility while promoting standardized secret management across desktops.

Installation and Setup

System Requirements and Installation

KWallet requires a kernel-based operating system, with full compatibility ensured on distributions supporting the desktop environment version 5.0 or later; for optimal performance in 2025, 6.x is recommended. Key dependencies include Qt 5 or Qt 6, 5 or 6, and optionally GnuPG for GPG-based encryption mode, which enhances integration with tools like KGPG. These prerequisites ensure seamless operation within the ecosystem, handling password storage via the Frameworks wallet subsystem. Installation is straightforward using native package managers on major distributions. On Debian-based systems like , users can install via sudo apt install kwalletmanager, which pulls in the necessary kwallet libraries and manager tools. For and derivatives, the command sudo pacman -S kwallet provides the core subsystem, with kwalletmanager available optionally for graphical management. is pre-integrated in KDE-focused spins such as and KDE, requiring no additional steps beyond the base desktop installation. For containerized deployment, KWalletManager is available as a package through Flathub with the identifier org.kde.kwalletmanager5, installable via flatpak install flathub org.kde.kwalletmanager5. This method works across distributions, including non-KDE environments like , where manual enablement can be achieved by ensuring the kwallet service is active for secret service compatibility. Advanced users may build from source using , cloning the repository from KDE's at https://invent.kde.org/frameworks/kwallet and following standard KDE build instructions with dependencies like extra-cmake-modules. Post-installation, KWallet creates a default wallet automatically upon first use by KDE applications, prompting for a master password. In KDE 6 environments as of 2025, enabling automatic unlocking on login necessitates the kwallet-pam module, configured via for integration with display managers like SDDM. Further configuration, such as wallet creation details, is handled separately after installation.

Initial Configuration

Upon first login to a session after installing , the system prompts the user to create the default wallet named "kdewallet" when an application requests access to stored credentials. This initial setup requires setting a master password to encrypt the wallet, with options to use classic Blowfish encryption (the default for compatibility) or GPG encryption for enhanced protection via a user-generated keypair. Basic preferences for KWallet are configured through > KDE Wallet, where users can enable automatic unlocking tied to the login password (requiring integration), set a timeout for automatic locking after inactivity, and activate the API to support non-KDE applications. The support, available since KDE Frameworks 5.97, allows broader compatibility by exposing KWallet as a standards-compliant keyring. As of April 2025, KWallet underwent architectural changes in KDE Plasma 6: the services were split, with the old KWallet service now acting as a pure Secret Service provider using the legacy backend, and a new compatibility wrapper translating calls from the traditional KWallet API to the Secret Service API. This facilitates a gradual transition for applications to the cross-desktop Secret Service standard via libraries like QtKeychain. For users wishing to migrate to a third-party Secret Service provider (e.g., KeepassXC), an experimental option is available by setting [Migration] MigrateTo3rdParty=true and [KSecretD] Enabled=false in kwalletrc, provided a compatible DBus-activatable provider is configured. Existing secrets remain accessible without immediate changes. For seamless synchronization with user , PAM integration is achieved by installing the kwallet-pam package and editing configuration files such as /etc/pam.d/sddm or /etc/pam.d/ to include the pam_kwallet5.so , ensuring the KWallet matches the user . Migration tools in KWalletManager facilitate importing from older KWallet versions (e.g., KDE4) via a built-in assistant that copies data from ~/.kde/share/apps/kwalletd to the modern location at ~/.local/share/kwalletd. For , direct import is not natively supported, but users can manually export secrets from applications and re-enter them into KWallet, or use KWalletManager's export function to back up data as a file for portability.

User Interface and Management

Graphical Interface

The KWalletManager application serves as the primary graphical user interface (GUI) for interacting with KWallet, allowing users to visually manage encrypted password storage on KDE Plasma systems. Built using the framework, it presents a multi-pane window that facilitates intuitive navigation and operations on wallet contents. The interface opens to a main view displaying available wallets in a left-hand list, where each wallet's status—such as locked or unlocked—is indicated by visual icons, including a symbol for locked states. Selecting a wallet expands its structure in the central area, revealing folders and entries without immediately exposing sensitive data. Core components include a list view for selecting and switching between multiple wallets, an entry that displays secrets organized by folders or applications, and a dedicated search bar for filtering contents by keywords, folder names, or associated applications. The contents tab features a tree-like structure for browsing folders—such as default ones for passwords and form data—alongside a details pane that hides values by default; users can toggle visibility using the "Show Values" button to reveal or obscure entries securely. The applications tab lists connected programs, enabling users to monitor and control access permissions. These elements support drag-and-drop functionality for moving folders and entries between wallets, enhancing workflow efficiency. Common operations are accessible via buttons and context menus, including unlock and lock actions that prompt for the master password to access or secure a , as well as add, edit, and delete functions for creating new entries (such as key-value pairs or passwords) or removing existing ones. Users can change the master password through the 's properties dialog, which also allows setting access rules for specific applications. For advanced management like backups, the provides and functions to handle encrypted wallet files. As a Qt-based application, KWalletManager supports high-DPI displays through Qt's scaling capabilities and operates seamlessly under compositors in Plasma, ensuring crisp rendering on modern hardware without additional configuration. It includes keyboard shortcuts for key actions, such as Ctrl+N for new entries and Ctrl+O for opening wallets, aligning with standard Qt conventions to aid for keyboard-only navigation. The latest version, 25.08.3, was released on November 6, 2025.

Wallet Management Tools

KWallet provides several administrative tools for creating, deleting, and managing , primarily through the graphical KWallet Manager (kwalletmanager5) and command-line utilities. To create a new , users launch kwalletmanager5 and select the option to create a , specifying a name and settings, while deletion is performed by selecting an existing and choosing the delete action, which permanently removes the file after confirmation. Permissions for application are configured within kwalletmanager5 under the 's Applications tab, where users can authorize specific applications to read or write to the without repeated prompts, enhancing over sensitive . Backup and restore operations rely on the encrypted .kwl files stored in ~/.local/share/kwalletd by default. Users a by unlocking it in kwalletmanager5 and saving a copy of the .kwl file, which remains encrypted and portable for secure transfer. Restoration involves using the File > menu in kwalletmanager5 to load the .kwl file, entering the to merge or replace contents, while for bulk scenarios, community scripts like kwallet-dump can extract entries from older .kwl files for scripted into new . Monitoring wallet activity and integrity is facilitated through system logs and query tools. Logs for the kwalletd daemon, which handles wallet operations in the background, can be viewed using journalctl -u kwalletd to track errors, access attempts, or service events. For non-graphical querying, the kwallet-query command-line tool allows inspection of wallet entries without launching the , such as listing contents in a specific folder with options like kwallet-query -f FolderName -l kdewallet. Support for multiple wallets enables compartmentalization, such as designating separate wallets for work and personal use, with applications assigned to specific ones via access policies in kwalletmanager5 to prevent cross-contamination of secrets. Best practices include regularly reviewing authorized applications and using distinct master passwords for each wallet to minimize risk. As part of ongoing efforts in 2025 to integrate KWallet as a Secret Service provider, experimental support for dynamic wallet switching through the interface is in development, potentially allowing applications to request access to specific collections (wallets) on-the-fly.

Security and Encryption

Encryption Mechanisms

KWallet employs two primary encryption modes to secure stored credentials: a symmetric Blowfish-based approach and an asymmetric GPG-based method, allowing users to select the preferred mechanism during wallet creation or configuration. In the Blowfish mode, data is protected using the Blowfish symmetric in mode, with a key of up to 448 bits (56 bytes) derived from the master password. The key derivation process functions as a password-based (PBKDF) utilizing iterated hashing without salt, where the password is divided into 16-character blocks, each hashed 2000 times with , and the results concatenated and truncated to 56 bytes for the Blowfish key. This can be expressed as: \text{DerivedKey} = \text{PBKDF}(\text{MasterPassword}, \text{Iterations}=2000, \text{Hash}=\text{SHA-1}, \text{KeyLength}=448 \text{ bits}) Data integrity is ensured via SHA-1 authentication prior to decryption. A 2013 security analysis highlighted vulnerabilities in this setup, including the lack of salt, reliance on the deprecated SHA-1, and potential effective ECB behavior due to implementation quirks in CBC usage, though subsequent KDE versions have addressed some implementation issues. As of 2025, the key derivation function has not been updated to include salt or modern hashing, preserving vulnerabilities to precomputed attacks. The GPG mode leverages asymmetric encryption through the GNU Privacy Guard (GnuPG) framework, requiring the gpgme library for integration and a user-generated keypair for enhanced protection. This approach uses strong, passphrase-protected GPG keys to encrypt wallet contents, providing superior security compared to Blowfish by employing modern algorithms like or for and for bulk encryption, as configured in the user's GPG setup. Wallets in both modes are stored as encrypted (typically with .kwl extension) in the ~/.local/share/kwalletd/, where each represents an encrypted blob containing serialized data via Qt's QDataStream ; the header includes such as the wallet's creation date and for . Users can switch between modes via the KWalletManager preferences, with GPG recommended in 2025 due to identified weaknesses in Blowfish, including its smaller effective key strength against brute-force attacks and the deprecation of in key derivation.

Security Architecture

KWallet's security architecture emphasizes confinement to the user session and layered protections to safeguard stored credentials against unauthorized access. The system daemon, kwalletd5, operates exclusively within the session bus of the logged-in user, ensuring that wallet operations are isolated from system-wide processes or other user sessions. This inherently blocks access to wallets, as the daemon lacks privileges to interact beyond the originating user's context. Access controls are further reinforced through application-specific policies managed via the KWalletManager tool, which presents a of requesting applications and allows users to approve or deny access on a per-app basis. When an application seeks wallet access, KWallet prompts the user for confirmation unless a prior policy grants permission, thereby preventing unauthorized retrieval of secrets even from trusted software running in the same session. These policies apply wallet-wide, granting approved applications read access to all contained entries without finer-grained controls. Key management in KWallet prioritizes and session-bound handling, with the master password retained solely in during an active unlocked state to minimize exposure risks. The includes an auto-lock mechanism that re-secures the wallet after configurable periods of inactivity or when no applications are actively using it, forcing re-authentication for subsequent access. This approach aligns with broader security principles by reducing the window of vulnerability during idle periods. Audit capabilities provide visibility into potential threats, as KWallet logs access attempts and alerts users to repeated failures, indicating possible malicious activity or misconfiguration. Integration with enhances session management through the kwallet-pam module, which ties wallet unlocking to the authentication process during login, ensuring synchronization with the system's user session lifecycle. Hardware-backed security remains an evolving aspect, with experimental support for Trusted Platform Modules (TPM) and secure elements discussed in developer forums since to enable protected key storage and passwordless unlocking. KWallet also incorporates GPG integration for advanced cryptographic operations, enabling wallets to be encrypted using user-generated GPG keypairs instead of solely symmetric methods, which supports public-key workflows while maintaining compatibility with the core architecture.

Vulnerabilities and Best Practices

Known Security Issues

KWallet has faced several documented security vulnerabilities over its history, primarily related to encryption weaknesses and local privilege escalation risks. In versions prior to KDE Applications 14.12.0, kwalletd employed the Blowfish cipher in ECB mode for encrypting the password store, which facilitated codebook attacks by attackers attempting to guess contents through pattern analysis in ciphertext blocks. This issue was mitigated in KDE Applications 14.12.0 by switching to CBC mode, enhancing resistance to such attacks. Pre-2018 implementations of KWallet relied on SHA-1 for key derivation from user passwords, splitting the password into 16-character blocks and applying 2000 times per block without salting, resulting in a weak 56-bit effective strength for Blowfish encryption and potential vulnerability to brute-force or collision attacks. These weaknesses exposed authentication bypass risks in older versions, particularly when combined with the lack of and short lengths. As of November 2025, KWallet continues to use for derivation, and users are advised to employ strong master to mitigate associated risks. A significant local affected kwallet-pam in KWallet versions before 5.12.6, where a symlink attack allowed unprivileged users to gain ownership of arbitrary files during integration, potentially enabling unauthorized access to sensitive data. This was resolved in version 5.12.6 through improved file handling and permission checks. In kio-extras up to version 20.04.0, the fish protocol implementation in fish/fish.cpp invoked cacheAuthentication without verifying the keepPassword option, leading to unintended storage of credentials in KWallet and increasing exposure risks for remote file access sessions. The flaw was patched in subsequent releases by adding proper option validation. As of November 2025, no major CVEs have been reported for KWallet in 2024 or 2025, though integration challenges persist. For instance, kwallet-pam in early 6.1 releases (June 2024) exhibited startup issues related to libgcrypt compatibility that prevented automatic wallet unlocking, potentially leading to repeated authentication prompts and indirect security annoyances, which were addressed in updates by July 2024. Ongoing migration efforts from KWallet to API, initiated in early 2025, introduce transition risks such as temporary data exposure if migration procedures fail to lock or transfer secrets properly, as noted in KDE developer discussions. Additionally, Chromium-based browser integrations with KWallet have prompted user reports of persistent authentication popups, though no verified spoofing vulnerabilities were confirmed; a December 2024 patch in Frameworks improved popup handling to reduce false prompts without introducing new risks.

Mitigation and Best Practices

To enhance the security of KWallet, users should prioritize strong password hygiene for the master password that protects the wallet. Select a unique, lengthy —at least 20 characters combining uppercase, lowercase, numbers, and symbols—to resist brute-force attacks, and avoid reusing it across other services. For added protection, separate sensitive data into multiple wallets, such as one for local application credentials and another for network-related secrets like or SSH keys, minimizing the impact of any single compromise. Avoid empty or weak master passwords, as they expose stored secrets to unauthorized access if the system is breached. To implement two-factor authentication, integrate KWallet with Pluggable Authentication Modules () and hardware tokens, such as TPM or FIDO2 keys, ensuring the wallet password aligns with the login credentials for seamless unlocking while requiring a second factor for initial access. This setup leverages PAM modules like pam_u2f for hardware verification during login, indirectly securing wallet access without manual re-entry. In , disable automatic unlocking on multi-user or shared systems to prevent unintended access; edit the PAM (e.g., in /etc/pam.d/sddm) to remove kwallet-pam or set distinct passwords, and enable the "Prompt when an application accesses a " option in KWallet Manager's settings. Regularly back up by copying the encrypted .kwl files from ~/.local/share/kwalletd to a secure, off-system location, then verify integrity by unlocking the restored in KWallet Manager and inspecting entries for completeness. For ongoing monitoring, configure auditd to log access attempts to the kwalletd directory by adding rules in /etc/audit/rules.d/audit.rules (e.g., -w /home/username/.local/share/kwalletd -p wa -k kwallet-access), then review logs with ausearch for suspicious activity. Always update to the latest Plasma release, as it incorporates security patches for KWallet vulnerabilities, such as those addressed in KDE Security Advisories. With the 2025 transition to the , KWallet now functions primarily as a provider; users should test the by enabling the experimental in ~/.config/kwalletrc (MigrateTo3rdParty=true) in a non-production wallet to ensure data portability to providers like before disabling the legacy KWallet backend.

API and Extensibility

Programming Interfaces

KWallet provides developers with interfaces primarily through the protocol and for seamless integration into applications and beyond. The core interface, org.kde.KWallet, is exposed by the kwalletd daemon at the object path /modules/kwalletd, enabling for wallet operations. Key methods in this interface include openWallet(QString walletName, uint wId, int openType), which initiates access to a wallet either synchronously or asynchronously, returning a for further interactions; writePassword(QString folder, QString key, QString password), which stores a password value in a specified and ; and corresponding readPassword(QString folder, QString key) for retrieval, which returns the stored value or an if not found. Additional methods support management, such as createFolder(QString folderName, int permissions) and deleteFolder(QString folderName), as well as closeWallet() to release resources. These methods handle via QByteArray for general entries, with signals emitted for conditions like locked wallets or invalid credentials. The methods often require an application identifier (appid) parameter to track usage by specific applications. For C++ development in applications, the KWallet::Wallet class offers a convenient over the calls, simplifying handling. Developers link against the KF6::Wallet library using CMake's find_package(KF6 REQUIRED COMPONENTS Wallet) and target_link_libraries(target KF6::Wallet). The class supports opening wallets with static Wallet* openWallet(const QString& name, WId parent, [OpenType](/page/OpenType) type), where type can be Synchronous or Asynchronous, followed by operations like writePassword(const QString& folder, const QString& key, const QString& value) or readPassword(const QString& folder, const QString& key, QString* value). If the wallet is locked, these methods return error codes such as Wallet::Locked, prompting developers to implement retry logic or user notifications. A basic example demonstrates usage: 
cpp
#include <KWallet/Wallet>

KWallet::Wallet* wallet = KWallet::Wallet::openWallet(KWallet::Wallet::LocalWallet(), 0, KWallet::Wallet::Synchronous);
if (wallet && wallet->isOpen()) {
    int result = wallet->writePassword("ApplicationFolder", "userCredential", "secureValue");
    if (result == 0) {
        qDebug() << "Password stored successfully.";
    }
    delete wallet;
}
This approach ensures thread-safe access and integrates with KDE's notification system for user prompts. Python developers can access KWallet via the dbus-python library to invoke the org.kde.KWallet methods directly, providing a scriptable entry point without native bindings. For instance, a script might connect to the bus, call openWallet, and store entries using DBus proxies. Legacy support existed through PyKDE's KWallet.Wallet class, but modern usage favors DBus or cross-platform libraries like QtKeychain for compatibility. Error handling mirrors the C++ API, with exceptions raised for locked states, allowing graceful fallbacks like prompting the user via KDE dialogs. As of Plasma 6.2 (October 2024), KWallet has improved adherence to the Freedesktop Secret Service DBus specification (org.freedesktop.secrets), enabling use as a backend for standards-compliant tools like Seahorse or Python's SecretStorage module. The legacy org.kde.KWallet interface persists as a thin wrapper translating calls to the Secret Service API, ensuring backward compatibility while supporting migration to alternative providers. This dual-interface design broadens developer options without disrupting existing KDE integrations.

Developer Usage Examples

Developers can integrate into applications using its C++ API for secure credential storage, particularly in KDE-based environments. The API allows for opening wallets, writing and reading entries, and managing folders asynchronously to avoid blocking the user interface. A basic C++ example demonstrates opening the default wallet and writing a username-password pair. First, include the necessary headers and link against KDE libraries via CMake. The code snippet below opens the "kdewallet" asynchronously, checks if successful, and writes an entry to a custom folder: 
cpp
#include <KWallet/Wallet>
#include <QApplication>
#include <QDebug>

int main(int argc, char **argv) {
    QApplication app(argc, argv);
    WId winId = 0; // Replace with actual window ID if needed
    KWallet::Wallet *wallet = KWallet::Wallet::openWallet(KWallet::Wallet::LocalWallet(), winId, KWallet::Wallet::Synchronous);
    if (wallet && wallet->isOpen()) {
        if (!wallet->hasFolder("MyAppFolder")) {
            wallet->createFolder("MyAppFolder");
        }
        wallet->setFolder("MyAppFolder");
        wallet->writePassword("", "user", "password");
        qDebug() << "Entry written successfully.";
        wallet->deleteLater();
    } else {
        qDebug() << "Failed to open wallet.";
    }
    return app.exec();
}
This approach uses KWallet::Wallet::openWallet with the local wallet type, followed by writePassword for simple string storage. Asynchronous mode can be enabled by passing KWallet::Wallet::Asynchronous as the last parameter to handle wallet unlocking via Qt signals. For Python developers, KWallet is accessible via its D-Bus interface using the dbus-python library, enabling cross-language integration without KDE-specific dependencies. Connect to the session bus, obtain a proxy to the org.kde.KWallet service at /modules/kwalletd, and invoke methods like writePassword with error handling for wallet states. The following script opens the wallet asynchronously and stores a password: 
python
import dbus
from dbus.mainloop.glib import DBusGMainLoop
import [gobject](/page/GObject)

DBusGMainLoop(set_as_default=True)
bus = [dbus](/page/D-Bus).SessionBus()
try:
    proxy = bus.get_object('org.kde.KWallet', '/modules/kwalletd')
    interface = [dbus](/page/D-Bus).Interface(proxy, 'org.kde.KWallet')
    handle = interface.openAsync('kdewallet', 0, 'MyApp', False)
    if handle > 0:
        status = interface.writePassword(handle, 'MyAppFolder', 'user', 'password', 'MyApp')
        if status == 0:
            [print](/page/Print)("Password written successfully.")
        else:
            [print](/page/Print)(f"Write failed with status: {status}")
    else:
        [print](/page/Print)("Failed to open wallet.")
except dbus.DBusException as e:
    [print](/page/Print)(f"D-Bus error: {e}")
[gobject](/page/GObject).MainLoop().run()
This example handles the asynchronous open via openAsync (returning a handle), then uses writePassword with folder, key, value, and app ID parameters; errors are caught via exceptions for robustness. Common scenarios include storing keys in custom s for application-specific isolation and querying existing entries with prompts as fallbacks. For instance, before writing an , check entryList for the key in a "APIKeys" ; if absent, the and use writePassword. This organizes credentials hierarchically while providing graceful if the wallet is locked. In testing, developers can mock the KWallet interface using Qt's mock objects or D-Bus test proxies to simulate wallet operations without a real backend, ensuring unit tests remain isolated. For integration tests, connect to signals like walletOpened for asynchronous unlock verification, confirming entries are accessible post-unlock. As of 2025, KWallet supports a Secret Service proxy for broader compatibility, allowing developers to use the standard org.freedesktop.secrets API instead of the legacy interface. An updated example involves creating items via CreateItem on the collection proxy, such as storing a password in a KDE-compatible service: 
python
import dbus
from secretstorage import dbussession, collection

dbus_session = dbussession.DBusSession()
collection = collection.get_default_collection(dbus_session)
if collection.is_locked():
    collection.unlock()
item = collection.create_item("MyApp", {"user": "username"}, "password", replace=True)
print("Item created via Secret Service proxy.")
This leverages libraries like secretstorage for the org.freedesktop.secrets.CreateItem method, proxying through KWallet's backend for seamless integration.

References

  1. [1]
    KDE/kwallet: KWallet: Credential Storage - GitHub
    KWallet Framework. Safe desktop-wide storage for passwords. Introduction. This framework contains 3 main components.
  2. [2]
    KDE Wallet - ArchWiki
    Sep 15, 2025 · KDE Wallet Manager is a tool to manage passwords on the KDE Plasma system. Using the KWallet subsystem allows a user to keep its own secrets.
  3. [3]
    KWallet - openSUSE Wiki
    Sep 1, 2022 · KWallet is the password manager for KDE. It is the counterpart of GNOME Keyring, but the wallets are incompatible.<|control11|><|separator|>
  4. [4]
    KWalletManager - KDE Applications
    KWalletManager is a tool to manage the passwords on your system. By using the Frameworks wallet subsystem it not only allows you to keep your own secrets.
  5. [5]
    Chapter 1. Introduction
    KWallet will now use GPG when storing wallets and when opening them. The passphrase dialog only shows once. Even if the wallet is closed after initial open, ...
  6. [6]
    Towards a transition from KWallet to Secret Service - Planet KDE
    Apr 14, 2025 · Right now, KWallet has the option to bring up a Secret Service compatible interface, and this is a valuable first step, but there are still some potential ...
  7. [7]
    KWallet to SecretService, a client application: name wanted
    Jul 9, 2025 · As i wrote in the previous post, now the KWallet service has been splitted in a compatibility layer that exposes the old KWallet api, ...
  8. [8]
    Archive - KDE Commit-Digest
    KWallet adds search, empty password support, and XML data import. 5th ... KDE 3.1.1 released. Quanta will get WYSIWYG editing. Many bugfixes in KMail ...
  9. [9]
    kwalletd about to be switched from kde-runtime to kwallet-framework
    Mar 10, 2015 · kwalletd about to be switched from kde-runtime to kwallet-framework. David Faure faure at kde.org. Mon Jan 13 09:05:26 UTC 2014.[Bug 210171] kmail and kwallet password ... - KDE Mailing ListsSecurity issue with kio_fish - KDE Mailing ListsMore results from mail.kde.org<|control11|><|separator|>
  10. [10]
    KDE Applications 4.12 Bring Huge Step Forward in Personal ...
    Dec 18, 2013 · Privacy guard KGpg shows more information to users and KWalletManager, the tool to save your passwords, can now store them in GPG form. Konsole ...
  11. [11]
    Plasma 5.20.0 Complete Changelog - KDE Community
    Enable shadow protocol support for all Wayland clients. Commit. Screencast: Ensure that there is current OpenGL context when recording a window. Commit. Fixes ...
  12. [12]
    KDE Plasma 6.2.5, Bugfix Release for December
    Dec 31, 2024 · Tuesday, 31 December 2024. Today KDE releases a bugfix update to KDE Plasma 6, versioned 6.2. 5. Plasma 6.2 was released in October 2024 with ...
  13. [13]
    kwallet - Fedora Packages
    Upstream: https://projects.kde.org/projects/kde/kdeutils/kwallet; License(s): GPL-2.0-or-later; Maintainers: than, rdieter. You can contact the maintainers of ...<|control11|><|separator|>
  14. [14]
    Frameworks / KWallet Framework · GitLab - KDE Invent
    Introduction. This framework contains 3 main components: Interface to KWallet, the safe desktop-wide storage for passwords on KDE work spaces. kwalletd ...
  15. [15]
    Disable kwallet popups from chrome - Super User
    Nov 1, 2015 · 1. Go to: System Settings -> Account Details (Personalization) -> KDE Wallet · 2. Uncheck the Box "Enable the KDE wallet subsystem" · 3. Apply.
  16. [16]
    Development/Tutorials/KWallet - KDE TechBase
    May 31, 2019 · Binary entries are application-specific arrays of bytes, maps should be known from QMaps, where a series of values are accessed by keys.Missing: limit 1MB
  17. [17]
    How to automatically unlock kwallet at start up? - NixOS Discourse
    Mar 8, 2025 · An easy way is to just set the password for the kwallet to nothing. Like literally. You go into the password setting prompt and do not type in ...
  18. [18]
    KDE Quick Start - Managing Passwords - Novell Doc
    To activate KWallet, select Basic Setup and click Next. Select Yes, I wish to use the KDE wallet to store my personal information and enter a password. This is ...
  19. [19]
    [PDF] The KWallet Handbook - KDE Documentation -
    KWallet supports multiple wallets, so for the most secure operation, you should use one wallet for local passwords, and another for network passwords and form ...
  20. [20]
    remember wireless password in kde - Ask Ubuntu
    Mar 13, 2014 · From system setting go to connections. Under Known Wi-Fi's find your connection. In the Wi-Fi security tab type Wi-Fi password in field. Also ...How do I make kded5 and Plasma's network manager stop trying to ...Can Plasma's networkmanager store passwords somewhere other ...More results from askubuntu.com
  21. [21]
    The state of Falkon: KDE's browser is much better than you know
    Dec 9, 2024 · There's a password manager built-in that can use both encrypted and non-encrypted databases as well as Kwallet, a Greasemonkey-compatible ...<|control11|><|separator|>
  22. [22]
    Firefox addon for kwallet KDE5 - KDE Store
    With this extension you are able to use KWallet instead of the default Firefox password manager. It allows tighter integration of Firefox inside KDE5.
  23. [23]
    Mozilla(Firefox/Thunderbird) KWallet Extension - GitHub
    With this extension you are able to use KWallet instead of the default Firefox password manager. It allows tighter integration of Firefox inside KDE.
  24. [24]
    KDE Plasma 6.2.5, bugfix Release
    This is a bugfix release of KDE Plasma, featuring Plasma Desktop and other essential software for your computer. Details in the Plasma 6.2.5 announcement.
  25. [25]
    kde-frameworks/kwallet - Gentoo Packages
    kde-frameworks/. kwallet. Interface to KWallet Framework providing desktop-wide storage for passwords. https://develop.kde.org/products/frameworks/.
  26. [26]
    kwallet - Community Help Wiki - Ubuntu Documentation
    Oct 10, 2008 · KWallet saves this sensitive data for you in a strongly encrypted file, accessible by all applications, and protected with a master password that you define.
  27. [27]
    Install KWalletManager on Linux - Flathub
    KWalletManager is a tool to manage the passwords on your system. By using the Frameworks wallet subsystem it not only allows you to keep your own secrets ...
  28. [28]
    FreshPorts -- security/plasma6-kwallet-pam
    Dec 2, 2023 · KDE: Update KDE Plasma to 6.2.5 Tuesday, 31 December 2024. Today KDE releases a bugfix update to KDE Plasma 6, versioned 6.2.5. This release ...
  29. [29]
    Who uses blowfish for KWallet, as its the default option? - KDE Discuss
    Nov 10, 2023 · KWallet can use GPG by default, using a gpg keypair with the username and the keystore named “kdewallet” by default.I get this KDE Wallet prompt every time after login - Helpwith an additional GPG wallet, unlock automatically on login doesn't ...More results from discuss.kde.org
  30. [30]
    Chapter 3. Configuring KWallet
    KWallet contains a small configuration panel with several options that allow you to tune KWallet to your personal preferences.
  31. [31]
    KDE/kwallet-pam - GitHub
    The pam module forks and launches kwalletd as the user with file descriptor AND a socket. We send the salted password over the file descriptor after forking.
  32. [32]
    KWallet Autologin: TPM, secure element, hardware features etc
    May 13, 2024 · You would need some place where some secret is stored. This could be your TPM or a hardware USB key, Smartcard, Fingerprint etc. That would be quite nice.Missing: KWalletService | Show results with:KWalletService
  33. [33]
    https://docs.kde.org/stable5/en/kwalletmanager/kwallet5/kwallet-kcontrol-module.html
  34. [34]
    KDE kwallet migrationsassistent - passwords - Stack Overflow
    Jan 28, 2016 · The wallet migration assistant should have created a copy of your passwords in $HOME/.local/share/kwalletd. But as long as the old wallet exists at $HOME/.kde4 ...
  35. [35]
    How do i set the keyring backend to gnome-libsecret - KDE Discuss
    Sep 21, 2024 · You can just disable kdewallet (for example, but uninstalling it) then make sure that the GNOME secrets service is automatically started on ...KDE Wallet More than Adequate? - HelpTry to use the KeePasXC as Secret Service - Help - KDE DiscussMore results from discuss.kde.orgMissing: 6.2 | Show results with:6.2
  36. [36]
    Move kwallet to another laptop? - Applications - openSUSE Forums
    Nov 24, 2023 · Launch KWallet Manager using KRunner (Alt+F2) or other application launcher (menu) and select your old wallet. Then choose File → Export as ...Import Wallet into KWallet version 5 in Plasma 5KDE Wallet Service - ApplicationsMore results from forums.opensuse.org
  37. [37]
    Chapter 2. KWallet Manager
    With Export as encrypted wallets can be exported into an encrypted archive file. Importing this archive file with Import encrypted you have to provide the ...
  38. [38]
    Plasma/Plasma 6 - KDE Community Wiki
    Plasma 6 is built on top of Qt 6 and was released on February 28th, 2024. This page outlines important information and major changes coming in Plasma 6.
  39. [39]
    Access Control
    Access control prompts when an app accesses a wallet, signals access, and shows a tree view of applications and their policies. Allowed access grants access to ...
  40. [40]
    kwallet-query(1) - Arch manual pages
    kwallet-query comes in handy when shell scripts need to read or update the KDE Wallet. It works by manipulating the entries displayed in the KDE Wallet Manager ...
  41. [41]
    kwalletd can't decrypt wallet - Applications - openSUSE Forums
    May 25, 2020 · Error when attempting to decrypt the wallet kdewallet using GPG. If you're using a SmartCard, please ensure it's inserted then try again. GPG error was No such ...Kwallet and KMail: What's GPG? What's Blowfish? Why a Blank ...Kwallet will not use my gpg key - Applications - openSUSE ForumsMore results from forums.opensuse.org
  42. [42]
    KWallet Security Analysis - Gaganpreet's blog
    Jul 24, 2013 · The backend code for KWallet was written nearly a decade ago, from looking at the copyright notices on files. The source code for KWallet is ...
  43. [43]
    Security of the KWallet password encrypting application?
    Oct 17, 2013 · The KWallet password management system is quite weak, it uses key splitting, Blowfish 56, and no salt.
  44. [44]
    FreshPorts -- security/gpgme: Library to make access to GnuPG easier
    GnuPG Made Easy (GPGME) is a C library designed to make access to GnuPG easier for applications. It provides a High-Level Crypto API for encryption, decryption, ...<|control11|><|separator|>
  45. [45]
    How to Disable KDE Wallet and have "remember password" working
    Apr 24, 2013 · Open KWalletManager and use Settings → Configure Wallet... then untick the checkbox “Close when last application stops using it”.How to reset a password from kwallet? - Ask UbuntuAnnoying KDE Wallet Service popup: The application 'kded5' has ...More results from askubuntu.comMissing: master | Show results with:master
  46. [46]
    [Solved] repeated failed attempts to gain access to a wallet ...
    Sep 28, 2021 · When I log out from my system I regularly get the following warning: There have been repeated failed attempts to gain access to a wallet. An application may be ...[SOLVED] KDE Wallet Service / Newbie Corner / Arch Linux Forums[SOLVED] kwallet wants password never set to openMore results from bbs.archlinux.org
  47. [47]
    How do i correctly set up PAM for kdewallet? - EndeavourOS Forum
    Jun 18, 2024 · All you need to do is install the package kwallet-pam and make sure that your kwallet password is the same as your user password and that is it.Missing: initial documentation
  48. [48]
    NVD - CVE-2013-7252
    ### Summary of CVE-2013-7252 (KWallet Vulnerability)
  49. [49]
    KDE Utils/kwallet/FeaturePlan42 - KDE Community Wiki
    Apr 15, 2016 · KWallet provides all or nothing access to the password store. This is a security problem, because it enables application A in principle to ...
  50. [50]
    CVE-2018-10380 - NVD
    May 8, 2018 · Description. kwallet-pam in KDE KWallet before 5.12.6 allows local users to obtain ownership of arbitrary files via a symlink attack.Missing: SHA- pre-
  51. [51]
    CVE-2020-12755 Detail - NVD
    May 9, 2020 · NVD. National Vulnerability Database. Vulnerabilities. CVE-2020-12755 ... This may lead to unintended KWallet storage of a password.
  52. [52]
    489303 – pam_kwallet6 not being built on/for Qt6 systems
    Jul 5, 2024 · Downgrading kwallet-pam to 6.1.0-1 temporarily resolves the issue. Comment 4 Yujiro Hanma 2024-06-27 16 ...Missing: race | Show results with:race
  53. [53]
    Towards a transition from KWallet to Secret Service | Mart
    Apr 14, 2025 · Applications ported from KWallet to SecretService will lose their credentials, unless some clunky porting code is written for each application.
  54. [54]
    502808 – kwallet-pam no longer starts kwallet: kwalletd dropped ...
    Sep 26, 2025 · Confirmed. Since the move to ksecretd, kwalletd crashes early during the login, and that causes a delay of ~10-15 seconds to the login until the ...<|separator|>
  55. [55]
    Two-factor authentication with KDE - Support - Manjaro Linux Forum
    Apr 7, 2021 · In order to achieve two-factor authentication, I edited system-auth , configured U2F using pam_u2f as the main method and Yubico OTP using pam_yubico as the ...
  56. [56]
    Monitoring Linux File Access With auditd | Baeldung on Linux
    Jun 12, 2022 · In this tutorial, we'll explore how to perform file access monitoring under Linux. First, we go through a refresher of file access permissions.
  57. [57]
    KDE Security Advisories
    The KDE Security Advisories are crosslinked in the KDE Information Pages of the KDE versions to which they apply to. The listing below is in chronological order ...
  58. [58]
    Provide org.kde.kwalletd5 dbus interface · Issue #3679 - GitHub
    Oct 27, 2019 · KDE uses the kwallet password manager to provide a DBUS API for password storage. For this they don't use the org.freedesktop.secrets API ...Missing: transition | Show results with:transition
  59. [59]
    KWallet::Wallet Class Reference
    KDE API Reference. KDE API Reference · kdelibs API Reference · KDE Home · Contact ... KWallet::Wallet Class Reference. #include <kwallet.h>. Inheritance diagram ...
  60. [60]
    KWallet - KDE API Reference
    Using the Module. Using a KDE module's C++ API requires linking against the module library. The preferred way of consuming the library is through CMake.Missing: KWalletService | Show results with:KWalletService
  61. [61]
    KWallet.Wallet
    This class implements a generic system-wide Wallet for KDE. This is the ONLY public interface. Author: George Staikos <staikos@kde.org>. KDE Wallet Class ...
  62. [62]
    org.freedesktop.secrets DBus API initial support (!11) · Merge requests
    This finally enables applications using node-keytar or python SecretStorage to use KWallet instead of forcing me to install GNOME keychain; Switching KDE ...<|control11|><|separator|>
  63. [63]
    https://sources.debian.org/src/qtkeychain/0.7.0-3/org.kde.KWallet.xml/