I have two PGP keys I use to sign and decrypt e-mails in kmail. When doing so, I have to enter the key's password (currently stored in KeePass).
Is it possible to save the passwords in my kwallet in a way that automatically unlocks the keys as needed? If so, how can this be achieved?
Edit: I have found something similar here, but for SSH keys rather than PGP keys. Maybe that can be adapted?
Is it possible to save the passwords in my kwallet in a way that automatically unlocks the keys as needed? If so, how can this be achieved?
As far as I know this cannot be done in kWallet. Use gpg-agent instead. You can make it's settings as liberal as you like, balanced between security and ease of access. Depending on which distribution you are running, the agent should work out of the box. Perhaps it's even already running in the background?
I never used KeePass, so I don't know its features. However, kGPG might be worth looking at. It is a GUI front end to the system's GnuPG. Specifically, it also allows for low-ish level settings of GPG, including GPG agent.
GnuPG Settings
Here you can configure which gpg binary and which
configuration fileand home folder are used. These values are autodetected on first start and should already work.Using the GnuPG agent makes work with GnuPG more comfortable as you do not need to type in your password for every action. It is cached in memory for a while so any operation that would require a password can immediately be done. Note that this may allow other people to use your private keys if you leave your session accessible to them.
The question also contains the kmail tag, so I will also elaborate on that. You might want to read the PGP configuration section and kmail FAQ, GnuPG section. If you have set up the keys using kGPG above, you don't have to be very worried about all the fat warning and the steps in the top part of the page. Just be informed about them.
Integration is actually happening implicit. kGPG just tells GnuPG which keys to create, modify, open and more actions. It lists in its interface what keys are on the system and their trust level etc. But in the background everything is stored in the ~/.gnupg directory in the GnuPG format. (I'm not sure if kGPG invokes GPG or is linked to GPG libraries, but the effect is the same)
kMail is just another kind of front end. It invokes the gpg command to access the keys stored in the same directory. For instance for signing, encrypting and decrypting.
The gpg-agent is session wide. Meaning, if you unlock a private key in kGPG, it will also be unlocked for kMail and visa versa.
I just found kwalletcli, which provides kwallet bindings for pinentry. My distribution does not provide a package, so at this moment I'm unable to try it out.
You might have to manually install the package if your distro does not support it as well.
Once again, arch wiki comes along and saves the day:
Tip: For using /usr/bin/pinentry-kwallet you have to install the kwalletcli package.
~/.gnupg/gpg-agent.conf:
#pinentry interface with kdewallet
pinentry-program /usr/bin/pinentry-kwallet
If you don't want to or can't install kwalletcli, you might be able to do some scripting using the kwallet-query command. You will have to have knowledge about which wallet to open to obtain the password. See man kwallet-query for more info.
However, gpg does not allow password input from STDIN by default, so you will need to configure gpg for it.
If you get gpg-agent to work properly, you can use it also as a ssh-agent.
# setup Keybase where you're storing PGP keys in cloud
https://keybase.io/docs/the_app/install_linux
# Import the public key
keybase pgp export | gpg --import
# Import the private key
keybase pgp export -s | gpg --allow-secret-key-import --import
# show all keys
gpg --list-keys --with-keygrip
gpg --list-secret-keys --with-keygrip
# There should be 3 keys: one main [SC]==PUBKEY_USAGE_SIG&PUBKEY_USAGE_CERT and two subkeys [A]==PUBKEY_USAGE_AUTH && [E]==PUBKEY_USAGE_ENC
# Now you have to edit main one ([SC] ID) of them to "trust" it
gpg --edit-key PUT_[SC]_ID_HERE
key 0
trust
5
y
key 1
trust
5
y
key 2
trust
5
y
quit
echo 'enable-ssh-support' >> ~/.gnupg/gpg-agent.conf
echo 'pinentry-program /usr/bin/pinentry-kwallet' >> ~/.gnupg/gpg-agent.conf
gpg -K --with-keygrip
echo 'PUT_[A]_keygrip_ID_HERE' >> ~/.gnupg/sshcontrol
echo 'export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)' >> ~/.bashrc
echo 'gpgconf --launch gpg-agent' >> ~/.bashrc
# setup git configs & set your favorite editor
echo 'export VISUAL="vim"' >> ~/.bashrc
git config --global commit.gpgsign true
gpg --list-secret-keys --keyid-format=long
git config --global user.signingkey [SC]_sec_id
git config --global user.name "stackexchange"
git config --global user.email [email protected]
# reload terminal env & gpg-agent and check everything works
source ~/.bashrc
gpgconf --kill gpg-agent
ssh-add -L
ssh -T [email protected]
Based on kwalletcli suggested in @Tim’s answser, I wrote a small python script to lookup passphrases in kwallet, available on github. Its only dependency is the keyring python module.
Just tell gpg-agent to use it instead of your current pinentry, and it will do the magic. It also will run a real pinentry process in the background for everything that’s not asking for passphrases.
