Unlocking
Is it possible to save the passwords in my kwallet in a way that
automatically unlocks the keys as needed? If so, how can this be
achieved?
As far as I know this cannot be done in kWallet. Use gpg-agent
instead. You can make it's settings as liberal as you like, balanced between security and ease of access. Depending on which distribution you are running, the agent should work out of the box. Perhaps it's even already running in the background?
Other key management
I never used KeePass, so I don't know its features. However, kGPG might be worth looking at. It is a GUI front end to the system's GnuPG. Specifically, it also allows for low-ish level settings of GPG, including GPG agent.
GnuPG Settings
Here you can configure which gpg binary and which configuration file
and home folder are used. These values are autodetected on first start
and should already work.
Using the GnuPG agent makes work with GnuPG more comfortable as you do
not need to type in your password for every action. It is cached in
memory for a while so any operation that would require a password can
immediately be done. Note that this may allow other people to use your
private keys if you leave your session accessible to them.
kMail
The question also contains the kmail tag, so I will also elaborate on that. You might want to read the PGP configuration section and kmail FAQ, GnuPG section. If you have set up the keys using kGPG above, you don't have to be very worried about all the fat warning and the steps in the top part of the page. Just be informed about them.
Integration
Integration is actually happening implicit. kGPG just tells GnuPG which keys to create, modify, open and more actions. It lists in its interface what keys are on the system and their trust level etc. But in the background everything is stored in the ~/.gnupg
directory in the GnuPG format. (I'm not sure if kGPG invokes GPG or is linked to GPG libraries, but the effect is the same)
kMail is just another kind of front end. It invokes the gpg
command to access the keys stored in the same directory. For instance for signing, encrypting and decrypting.
The gpg-agent
is session wide. Meaning, if you unlock a private key in kGPG, it will also be unlocked for kMail and visa versa.
Edit
I just found kwalletcli, which provides kwallet bindings for pinentry. My distribution does not provide a package, so at this moment I'm unable to try it out.
You might have to manually install the package if your distro does not support it as well.
Once again, arch wiki comes along and saves the day:
Tip: For using /usr/bin/pinentry-kwallet you have to install the
kwalletcli package.
~/.gnupg/gpg-agent.conf:
#pinentry interface with kdewallet
pinentry-program /usr/bin/pinentry-kwallet
Alternative
If you don't want to or can't install kwalletcli, you might be able to do some scripting using the kwallet-query
command. You will have to have knowledge about which wallet to open to obtain the password. See man kwallet-query
for more info.
However, gpg does not allow password input from STDIN by default, so you will need to configure gpg for it.
Note on ssh-agent
If you get gpg-agent to work properly, you can use it also as a ssh-agent.
example on Kubuntu 22.04 (Jellyfish) how use Keybase PGP keys with Git (auth & sign)
# setup Keybase where you're storing PGP keys in cloud
https://keybase.io/docs/the_app/install_linux
# Import the public key
keybase pgp export | gpg --import
# Import the private key
keybase pgp export -s | gpg --allow-secret-key-import --import
# show all keys
gpg --list-keys --with-keygrip
gpg --list-secret-keys --with-keygrip
# There should be 3 keys: one main [SC]==PUBKEY_USAGE_SIG&PUBKEY_USAGE_CERT and two subkeys [A]==PUBKEY_USAGE_AUTH && [E]==PUBKEY_USAGE_ENC
# Now you have to edit main one ([SC] ID) of them to "trust" it
gpg --edit-key PUT_[SC]_ID_HERE
key 0
trust
5
y
key 1
trust
5
y
key 2
trust
5
y
quit
echo 'enable-ssh-support' >> ~/.gnupg/gpg-agent.conf
echo 'pinentry-program /usr/bin/pinentry-kwallet' >> ~/.gnupg/gpg-agent.conf
gpg -K --with-keygrip
echo 'PUT_[A]_keygrip_ID_HERE' >> ~/.gnupg/sshcontrol
echo 'export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)' >> ~/.bashrc
echo 'gpgconf --launch gpg-agent' >> ~/.bashrc
# setup git configs & set your favorite editor
echo 'export VISUAL="vim"' >> ~/.bashrc
git config --global commit.gpgsign true
gpg --list-secret-keys --keyid-format=long
git config --global user.signingkey [SC]_sec_id
git config --global user.name "stackexchange"
git config --global user.email [email protected]
# reload terminal env & gpg-agent and check everything works
source ~/.bashrc
gpgconf --kill gpg-agent
ssh-add -L
ssh -T [email protected]