The classical KDE Wallet uses blowfish algorithm to encrypt sensitive data before writing it to disk. The key used for the encryption is a user-defined password that sometimes is even left empty by the user!
GnuPG offers some very strong encryption algorithms and uses passphrase-protected long keys. But I’m not going to talk about GPG here. I’ll rather tell you that I just added a new backend in kwalletd allowing for GPG-encrypted wallets! The code is fully functional and I actually configured my KDE session to use it! So here are the screenshots.
As you can see, I now have a “testgpg” wallet that is selected as the system-default wallet. So what, you’d say? Well, I’d answer, as you can see there’s no apparent difference when using these wallets, and that’s expected behavior. Things changes however when you try to create a new wallet. There are two ways to do that. The usual way is in system settings, where user would click the “New…” button you see in the second screenshot. That will pop-up a wizard that I adjusted to let the user choose between the more secure GPG-backend or the classical, blowfish-based, backend.
After clicking “New…”, user is prompted for the new wallet’s name, as usual, then here is the redesigned “new wallet wizard”:
disclaimer: I’m not an english-native, so wording may not be the best in the following screenshots. Feel free to adjust the strings in the sources 😉
The screenshots above show the case where an encryption capable GPG key was found on the system. If the user do not have such a key, then the last page changes to this:
(the different color comes from the different color-scheme my test user has in it’s kde session)
And that’s all it takes!
If using KWalletManager, the wizard is slightly different (I don’t know why kwalletd uses two code paths for wallet creation, but I choose to keep this original behavior):
- Choose “File > New wallet…”
- Enter the new wallet’s name
- Next, the following wizard will show:
That’s it for this case too!
kwalletd will use GPG when storing wallets and when opening them. The same KDE session can handle simultaneously both file formats. kwalletd will transparently detect the file format and load the correct backend to handle it. So you can do as I did:
- Create a new GPG-based wallet (using one of the previous described methods)
- Fire KWalletManager and
- Select your old wallet then choose “File > Export as XML…” to create an XML file with your sensitive data
- Select the GPG-based wallet then choose “File > Import XML…”, then choose the file you just saved
- NOTE: “File > Import wallet…” should also work, but in that case you should choose the .kwl file corresponding to your old wallet, located in ~/.kde/share/apps/kwallet
- Go to System Settings > Account Details > KDE Wallet and select the newly created, GPG-based, wallet from the “select wallet to use as default” combo box
- gpg-encrypt the XML file to keep a back-up
What about file sizes? Well, on my system, the new GPG-based wallet show a dramatic drop in file size for storing the exact same data:
-rw------- 1 valentin valentin 60664 Aug 15 16:54 kdewallet.kwl
-rw------- 1 valentin valentin 19329 Aug 15 18:56 testgpg.kwl
The performance difference is not noticeable. There’s only a slight lag on first GPG library initialization.
IMPORTANT NOTE: the passphrase dialog only shows once. Even if the wallet is closed after initial open, subsequent opening will occur silently during the same KDE session! That’s great news for those annoyed by the kwallet password prompt in the middle of the KDE session.
Eager to test the code? I’d be glad to hear your feedback, as this code should be thoroughly tested and reviewed before letting it go to master. I’ll soon post a review-request on the official mailing list. The code is available under the kde-runtime’s branch named kwalletd-gpg. The new features are compiled-in only if your system has QGpgme, part of kdepimlibs, which in turn requires gnupg and gpgme.
A final word: those of us who own a FSFE Fellowship Smart Card now have a new cool usage for it!