alex/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
95974224f87f847a4d35800878ef0e1eb06043fc
dotfiles/.memory/research/LUKS SDDM KWallet discovery.md
alex wiesner 95974224f8 chore: update opencode workflow and local config
2026-03-12 12:14:33 +00:00

8.9 KiB
Raw Blame History

title, type, permalink, tags
title type permalink tags
LUKS SDDM KWallet discovery note dotfiles/research/luks-sddm-kwallet-discovery
sddm
kwallet
luks
pam
arch
hyprland
discovery

LUKS SDDM KWallet discovery

System context

  • [fact] Distribution: Arch Linux (rolling), NOT NixOS — all configuration is manual files or pacman packages
  • [fact] Desktop environment: Hyprland (Wayland compositor), NOT KDE Plasma
  • [fact] Display manager: SDDM (installed, PAM files present)
  • [fact] Lock screen: hyprlock (Hyprland native, separate from SDDM)
  • [fact] Default session: Session=hyprland (from ~/.dmrc)
  • [fact] Boot: systemd-boot (/boot/loader/), kernel cmdline has cryptdevice=PARTUUID=1a555ca6-ea08-4128-80cf-fe213664030e:root root=/dev/mapper/root
  • [fact] LUKS encryption: LUKS-encrypted root (encrypt hook in mkinitcpio), initramfs uses classic encrypt hook (not sd-encrypt)
  • [fact] Filesystem: btrfs with @ subvolume

Current config files inventory

Dotfiles repo (/home/alex/dotfiles) — user scope only

File Contents
.config/hypr/hyprland.conf Hyprland WM config; autostart: waybar + nm-applet; lock bind: hyprlock
.config/hypr/hyprlock.conf hyprlock PAM-auth lock screen; Catppuccin Mocha theme
.config/hypr/monitors.conf Monitor config
.config/hypr/workspaces.conf Workspace rules
.dmrc Session=hyprland
.gitconfig Git identity only
.config/fish/, .config/nvim/, etc. Shell and editor config, not relevant

The dotfiles repo does NOT contain any SDDM, PAM, mkinitcpio, bootloader, or KWallet configuration. All of those are system-level files managed outside this repo.

System-level files (outside dotfiles repo)

File Status Key contents
/etc/mkinitcpio.conf Present HOOKS include encrypt (classic LUKS hook)
/boot/loader/entries/2026-03-11_16-58-39_linux.conf Present cryptdevice=PARTUUID=... kernel param, LUKS root
/boot/loader/loader.conf Present timeout 3, no autologin
/etc/pam.d/sddm Present Includes pam_kwallet5.so (broken — see risks)
/etc/pam.d/sddm-autologin Present Includes pam_kwallet5.so (broken — see risks)
/etc/pam.d/sddm-greeter Present Standard greeter-only config
/etc/pam.d/system-auth Present Standard pam_unix, pam_faillock
/etc/pam.d/system-login Present Standard, includes pam_u2f.so at top
/etc/pam.d/hyprlock Present auth include login — delegates to login chain
/usr/lib/sddm/sddm.conf.d/default.conf Present No autologin configured; DisplayServer=x11 (NOT wayland)
/etc/sddm.conf.d/ MISSING — no local overrides exist No user customization of SDDM
/etc/sddm.conf MISSING No top-level SDDM config file

KDE/KWallet installation state

  • [fact] kwalletd6 binary is installed: /usr/bin/kwalletd6
  • [fact] kwallet-query is installed: /usr/bin/kwallet-query
  • [fact] pam_kwallet5.so does NOT exist in /usr/lib/security/ or /lib/security/
  • [fact] pam_kwallet6.so does NOT exist either — kwallet-pam package is NOT installed
  • [fact] pam_gnome_keyring.so IS installed at /usr/lib/security/
  • [fact] No ~/.config/kwalletrc exists — KWallet has never been initialized for this user
  • [fact] No ~/.local/share/kwalletd/ directory — no wallet database exists

Current PAM configuration for SDDM (detailed)

/etc/pam.d/sddm (normal login)

auth sufficient pam_u2f.so  cue
auth        include     system-login
-auth       optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so          ← BROKEN: module not installed

session     optional    pam_keyinit.so          force revoke
session     include     system-login
-session    optional    pam_gnome_keyring.so    auto_start
-session    optional    pam_kwallet5.so         auto_start  ← BROKEN

/etc/pam.d/sddm-autologin

auth sufficient pam_u2f.so  cue
auth        required    pam_permit.so
-auth       optional    pam_kwallet5.so          ← BROKEN
session     include     system-local-login
-session    optional    pam_kwallet5.so auto_start  ← BROKEN

Note: The - prefix means these lines are silently skipped if the module is missing — not causing errors, but not functioning.

SDDM autologin configuration state

  • [fact] SDDM autologin is NOT configuredUser= and Session= are empty in default.conf
  • [fact] SDDM DisplayServer=x11 in default.conf — no wayland greeter configured
  • [fact] No /etc/sddm.conf.d/ drop-in directory exists

Dependency chain for LUKS → SDDM → KWallet integration

Boot-time LUKS (currently working)

systemd-boot → kernel cryptdevice= param → initramfs encrypt hook → LUKS passphrase prompt → root mounted

Login-time (currently: manual SDDM login, no KWallet auto-open)

SDDM greeter → user types password → PAM sddm → pam_unix validates → session started
  → pam_kwallet5.so would unlock wallet (BROKEN: module missing)

Target state (proposed)

Boot: LUKS passphrase entered
  → system up → SDDM greeter shown
  → Option A (autologin): SDDM skips password → session starts → KWallet opened with stored key
  → Option B (PAM reuse): SDDM password == user password == KWallet password → pam_kwallet6 unlocks wallet on login

Likely edit points

To fix KWallet auto-open via PAM (Option B — recommended)

  1. Install kwallet-pam package (AUR: kwallet-pam provides pam_kwallet6.so) — PREREQUISITE
  2. /etc/pam.d/sddm — replace pam_kwallet5.so references with pam_kwallet6.so in auth and session stacks
  3. /etc/pam.d/sddm-autologin — same replacement if autologin is also desired
  4. ~/.config/kwalletrc — create/configure wallet to use blowfish or GPG encryption; set wallet name
  5. Initialize wallet — run kwalletd6 or use kwallet-query to create the default wallet with the user's login password as the unlock password

To configure SDDM for Wayland session (currently X11 default)

  1. /etc/sddm.conf.d/hyprland.conf (new file) — set DisplayServer=wayland or leave X11 and use Wayland session via wayland-session script

To configure SDDM autologin (Option A)

  1. /etc/sddm.conf.d/autologin.conf (new file) — set User=alex, Session=hyprland

To track these system files in the dotfiles repo

  1. Add symlinks or a deploy script — system PAM files are outside the current dotfiles scope

Risks and ambiguities

  • [risk] pam_kwallet5.so vs pam_kwallet6.so mismatch: PAM files reference kwallet5 module; installed binary is kwalletd6. The kwallet-pam package for KF6 provides pam_kwallet6.so — this must be installed from AUR or a compatible repo.
  • [risk] No KDE Plasma installed: The system uses Hyprland, not Plasma. KWallet works standalone, but Plasma's system tray integration for wallet prompts won't be present. Apps must use the KWallet D-Bus API directly.
  • [risk] SDDM running X11 compositor by default: The default.conf has DisplayServer=x11, but the user session is Hyprland (Wayland). SDDM itself can still launch Wayland sessions from an X11 greeter. This works but is a mismatch worth documenting.
  • [risk] autologin + KWallet security trade-off: If autologin is used (Option A), KWallet cannot be unlocked by the user password (there is none at login). The wallet would need to be set to "no password" (plaintext) or use a keyfile — both reduce security.
  • [risk] pam_u2f.so at top of system-login and sddm: U2F is configured as sufficient — meaning a hardware key can bypass password entirely. This could bypass KWallet unlock if the wallet password differs from the user password.
  • [risk] hyprlock uses auth include login: The lock screen delegates to the login PAM chain, which does NOT include kwallet PAM modules. Unlocking hyprlock will NOT re-open the wallet.
  • [risk] Dotfiles repo scope boundary: /etc/pam.d/, /etc/sddm.conf.d/, /etc/mkinitcpio.conf, and /boot/loader/ are all outside the dotfiles repo. These are system files. Either the dotfiles repo needs to expand its scope (with a deploy script), or these changes must be managed separately.
  • [risk] mkinitcpio uses classic encrypt hook, not sd-encrypt: The sd-encrypt (systemd) hook supports TPM2/FIDO2-bound LUKS keys for automatic unlock; the classic encrypt hook does not. If the goal involves TPM2-bound auto-unlock (true single-passphrase boot), migration to sd-encrypt would be required.
  • [ambiguity] "SDDM login" with LUKS: LUKS unlock happens at boot (initramfs), before SDDM. There is no mechanism for SDDM to "reuse" the LUKS passphrase directly. The integration point is: user types the same password at SDDM → PAM propagates it to pam_kwallet6 → wallet unlocked. The LUKS and SDDM passwords are independent unless deliberately set to the same value.

Relations

Reference in New Issue View Git Blame Copy Permalink