alex/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
95974224f87f847a4d35800878ef0e1eb06043fc
dotfiles/.memory/research/LUKS SDDM KWallet discovery.md
alex wiesner 95974224f8 chore: update opencode workflow and local config
2026-03-12 12:14:33 +00:00

157 lines
8.9 KiB
Markdown
Raw Blame History

---
title: LUKS SDDM KWallet discovery
type: note
permalink: dotfiles/research/luks-sddm-kwallet-discovery
tags:
- sddm
- kwallet
- luks
- pam
- arch
- hyprland
- discovery
---
# LUKS SDDM KWallet discovery
## System context
- [fact] Distribution: **Arch Linux** (rolling), NOT NixOS — all configuration is manual files or pacman packages
- [fact] Desktop environment: **Hyprland** (Wayland compositor), NOT KDE Plasma
- [fact] Display manager: **SDDM** (installed, PAM files present)
- [fact] Lock screen: **hyprlock** (Hyprland native, separate from SDDM)
- [fact] Default session: `Session=hyprland` (from `~/.dmrc`)
- [fact] Boot: **systemd-boot** (`/boot/loader/`), kernel cmdline has `cryptdevice=PARTUUID=1a555ca6-ea08-4128-80cf-fe213664030e:root root=/dev/mapper/root`
- [fact] LUKS encryption: **LUKS-encrypted root** (`encrypt` hook in mkinitcpio), initramfs uses classic `encrypt` hook (not `sd-encrypt`)
- [fact] Filesystem: **btrfs** with `@` subvolume
## Current config files inventory
### Dotfiles repo (`/home/alex/dotfiles`) — user scope only
| File | Contents |
|---|---|
| `.config/hypr/hyprland.conf` | Hyprland WM config; autostart: waybar + nm-applet; lock bind: `hyprlock` |
| `.config/hypr/hyprlock.conf` | hyprlock PAM-auth lock screen; Catppuccin Mocha theme |
| `.config/hypr/monitors.conf` | Monitor config |
| `.config/hypr/workspaces.conf` | Workspace rules |
| `.dmrc` | `Session=hyprland` |
| `.gitconfig` | Git identity only |
| `.config/fish/`, `.config/nvim/`, etc. | Shell and editor config, not relevant |
**The dotfiles repo does NOT contain any SDDM, PAM, mkinitcpio, bootloader, or KWallet configuration.** All of those are system-level files managed outside this repo.
### System-level files (outside dotfiles repo)
| File | Status | Key contents |
|---|---|---|
| `/etc/mkinitcpio.conf` | Present | HOOKS include `encrypt` (classic LUKS hook) |
| `/boot/loader/entries/2026-03-11_16-58-39_linux.conf` | Present | `cryptdevice=PARTUUID=...` kernel param, LUKS root |
| `/boot/loader/loader.conf` | Present | `timeout 3`, no autologin |
| `/etc/pam.d/sddm` | Present | Includes `pam_kwallet5.so` (broken — see risks) |
| `/etc/pam.d/sddm-autologin` | Present | Includes `pam_kwallet5.so` (broken — see risks) |
| `/etc/pam.d/sddm-greeter` | Present | Standard greeter-only config |
| `/etc/pam.d/system-auth` | Present | Standard pam_unix, pam_faillock |
| `/etc/pam.d/system-login` | Present | Standard, includes pam_u2f.so at top |
| `/etc/pam.d/hyprlock` | Present | `auth include login` — delegates to login chain |
| `/usr/lib/sddm/sddm.conf.d/default.conf` | Present | No autologin configured; `DisplayServer=x11` (NOT wayland) |
| `/etc/sddm.conf.d/` | **MISSING** — no local overrides exist | No user customization of SDDM |
| `/etc/sddm.conf` | **MISSING** | No top-level SDDM config file |
## KDE/KWallet installation state
- [fact] `kwalletd6` binary is installed: `/usr/bin/kwalletd6`
- [fact] `kwallet-query` is installed: `/usr/bin/kwallet-query`
- [fact] **`pam_kwallet5.so` does NOT exist** in `/usr/lib/security/` or `/lib/security/`
- [fact] **`pam_kwallet6.so` does NOT exist** either — `kwallet-pam` package is NOT installed
- [fact] `pam_gnome_keyring.so` IS installed at `/usr/lib/security/`
- [fact] No `~/.config/kwalletrc` exists — KWallet has never been initialized for this user
- [fact] No `~/.local/share/kwalletd/` directory — no wallet database exists
## Current PAM configuration for SDDM (detailed)
### `/etc/pam.d/sddm` (normal login)
```
auth sufficient pam_u2f.so cue
auth include system-login
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet5.so ← BROKEN: module not installed
session optional pam_keyinit.so force revoke
session include system-login
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet5.so auto_start ← BROKEN
```
### `/etc/pam.d/sddm-autologin`
```
auth sufficient pam_u2f.so cue
auth required pam_permit.so
-auth optional pam_kwallet5.so ← BROKEN
session include system-local-login
-session optional pam_kwallet5.so auto_start ← BROKEN
```
Note: The `-` prefix means these lines are silently skipped if the module is missing — not causing errors, but not functioning.
## SDDM autologin configuration state
- [fact] SDDM autologin is **NOT configured**`User=` and `Session=` are empty in default.conf
- [fact] SDDM `DisplayServer=x11` in default.conf — **no wayland greeter configured**
- [fact] No `/etc/sddm.conf.d/` drop-in directory exists
## Dependency chain for LUKS → SDDM → KWallet integration
### Boot-time LUKS (currently working)
```
systemd-boot → kernel cryptdevice= param → initramfs encrypt hook → LUKS passphrase prompt → root mounted
```
### Login-time (currently: manual SDDM login, no KWallet auto-open)
```
SDDM greeter → user types password → PAM sddm → pam_unix validates → session started
→ pam_kwallet5.so would unlock wallet (BROKEN: module missing)
```
### Target state (proposed)
```
Boot: LUKS passphrase entered
→ system up → SDDM greeter shown
→ Option A (autologin): SDDM skips password → session starts → KWallet opened with stored key
→ Option B (PAM reuse): SDDM password == user password == KWallet password → pam_kwallet6 unlocks wallet on login
```
## Likely edit points
### To fix KWallet auto-open via PAM (Option B — recommended)
1. **Install `kwallet-pam` package** (AUR: `kwallet-pam` provides `pam_kwallet6.so`) — PREREQUISITE
2. **`/etc/pam.d/sddm`** — replace `pam_kwallet5.so` references with `pam_kwallet6.so` in auth and session stacks
3. **`/etc/pam.d/sddm-autologin`** — same replacement if autologin is also desired
4. **`~/.config/kwalletrc`** — create/configure wallet to use blowfish or GPG encryption; set wallet name
5. **Initialize wallet** — run `kwalletd6` or use `kwallet-query` to create the default wallet with the user's login password as the unlock password
### To configure SDDM for Wayland session (currently X11 default)
6. **`/etc/sddm.conf.d/hyprland.conf`** (new file) — set `DisplayServer=wayland` or leave X11 and use Wayland session via `wayland-session` script
### To configure SDDM autologin (Option A)
7. **`/etc/sddm.conf.d/autologin.conf`** (new file) — set `User=alex`, `Session=hyprland`
### To track these system files in the dotfiles repo
8. Add symlinks or a deploy script — system PAM files are outside the current dotfiles scope
## Risks and ambiguities
- [risk] **`pam_kwallet5.so` vs `pam_kwallet6.so` mismatch**: PAM files reference kwallet5 module; installed binary is kwalletd6. The `kwallet-pam` package for KF6 provides `pam_kwallet6.so` — this must be installed from AUR or a compatible repo.
- [risk] **No KDE Plasma installed**: The system uses Hyprland, not Plasma. KWallet works standalone, but Plasma's system tray integration for wallet prompts won't be present. Apps must use the KWallet D-Bus API directly.
- [risk] **SDDM running X11 compositor by default**: The `default.conf` has `DisplayServer=x11`, but the user session is Hyprland (Wayland). SDDM itself can still launch Wayland sessions from an X11 greeter. This works but is a mismatch worth documenting.
- [risk] **autologin + KWallet security trade-off**: If autologin is used (Option A), KWallet cannot be unlocked by the user password (there is none at login). The wallet would need to be set to "no password" (plaintext) or use a keyfile — both reduce security.
- [risk] **pam_u2f.so at top of system-login and sddm**: U2F is configured as `sufficient` — meaning a hardware key can bypass password entirely. This could bypass KWallet unlock if the wallet password differs from the user password.
- [risk] **hyprlock uses `auth include login`**: The lock screen delegates to the `login` PAM chain, which does NOT include kwallet PAM modules. Unlocking hyprlock will NOT re-open the wallet.
- [risk] **Dotfiles repo scope boundary**: `/etc/pam.d/`, `/etc/sddm.conf.d/`, `/etc/mkinitcpio.conf`, and `/boot/loader/` are all outside the dotfiles repo. These are system files. Either the dotfiles repo needs to expand its scope (with a deploy script), or these changes must be managed separately.
- [risk] **mkinitcpio uses classic `encrypt` hook, not `sd-encrypt`**: The `sd-encrypt` (systemd) hook supports TPM2/FIDO2-bound LUKS keys for automatic unlock; the classic `encrypt` hook does not. If the goal involves TPM2-bound auto-unlock (true single-passphrase boot), migration to `sd-encrypt` would be required.
- [ambiguity] **"SDDM login" with LUKS**: LUKS unlock happens at boot (initramfs), before SDDM. There is no mechanism for SDDM to "reuse" the LUKS passphrase directly. The integration point is: user types the same password at SDDM → PAM propagates it to `pam_kwallet6` → wallet unlocked. The LUKS and SDDM passwords are independent unless deliberately set to the same value.
## Relations
- related_to [[Hyprland config]]
- related_to [[PAM configuration]]
Reference in New Issue View Git Blame Copy Permalink