KWallet
KWallet is the KDE Plasma secrets store, and it is the Kubuntu equivalent of Gnome Keyring. The underlying job is the same: a system-level encrypted database that lives for the duration of your desktop session, storing credentials, keys, and other secrets so that applications can retrieve them without prompting you every time.
The difference in practice is that KWallet integrates cleanly with the rest of the KDE application suite, handles modern SSH key formats without issue, and does not require the workarounds that the source material this series is based on spends an entire page describing for Gnome Keyring. On Kubuntu, this is the right tool for the job from the start.
How KWallet works
When you log in to Kubuntu, KWallet is unlocked using your login passphrase and remains open for the duration of your session. Applications that need to store or retrieve a secret, a Wi-Fi password, a mail account credential, an SSH key passphrase, request it from KWallet rather than storing it themselves. When you log out, the wallet closes and everything in it is inaccessible until the next login.
The wallet itself is an encrypted file stored at ~/.local/share/kwalletd/. It is tied to your user session and encrypted with your login credentials by default, though you can configure it with a separate passphrase if you prefer an additional layer of protection.
Initial setup
KWallet is installed and enabled by default on Kubuntu. On first login you will be prompted to set it up if it has not been configured already. The default wallet is named kdewallet and the setup wizard will walk you through choosing an encryption backend and setting a passphrase.
Two encryption backends are available: Blowfish and GPG. The GPG option is worth considering if you already have a GPG key set up, as it ties wallet access to your GPG key rather than a standalone passphrase. For most setups at this stage of the series, Blowfish with a strong passphrase is the simpler and perfectly adequate choice.
To open KWallet Manager directly:
kwalletmanager5
Or find it via the application launcher by searching for “KWallet Manager”.
SSH agent integration
KWallet includes an SSH agent that integrates with the KDE session. When you attempt to use an SSH key that has a passphrase, KWallet prompts you once, stores the passphrase, and handles subsequent uses silently for the rest of the session.
This works with ed25519 keys, RSA keys, and all other key types supported by modern OpenSSH. There are no compatibility workarounds needed here, which is a meaningful improvement over the equivalent on Ubuntu with Gnome Keyring.
To verify the SSH agent is running:
echo $SSH_AUTH_SOCK
This should return a socket path. If it is empty, the KDE SSH agent may not have started. You can start it manually with:
eval $(ssh-agent)
And add your key:
ssh-add ~/.ssh/id_ed25519
KWallet will prompt for the passphrase and store it for the session.
Application integration
Most KDE applications use KWallet automatically. Kontact, KMail, Konqueror, and the KDE network manager all store credentials in KWallet without any additional configuration. When a non-KDE application such as Firefox or Thunderbird needs to store credentials, it uses its own internal storage by default, which is fine. Those applications have their own credential management that does not need to run through KWallet.
Where KWallet matters most in this setup is for system-level credentials: Wi-Fi passphrases, VPN credentials, and SSH key passphrases. These are all handled automatically once the wallet is unlocked at login.
Auto-unlock behaviour
By default, KWallet unlocks automatically at login using your session credentials. This is convenient and the right choice for most setups. If you want an additional layer of security, you can configure KWallet to require a separate passphrase at login, meaning the wallet will not open until you explicitly unlock it.
To configure this, open KWallet Manager, go to Settings, and change the wallet open policy. Be aware that if you set a separate passphrase, applications will prompt you to unlock the wallet early in the session rather than having it available immediately. This is a usability tradeoff worth thinking about before enabling it.
What KWallet does not replace
KWallet is a session secrets store, not a password manager. It handles credentials that applications need to retrieve programmatically during a session. It is not designed for storing and browsing passwords manually, generating strong passwords, or syncing credentials across devices.
For that, KeePassXC is the right tool, and it is covered in the next section. The two work alongside each other rather than in competition: KWallet handles session-level secrets automatically, KeePassXC handles everything you need to manage, generate, or access manually.
Think of KWallet as the infrastructure layer and KeePassXC as the interface. You interact with KeePassXC. KWallet runs quietly in the background.