How to automatically unlock kwallet at start up?

Hi there, how can I automatically unlock kwallet at start up?
It kept asking for password at start up and I would like it to automatically unlock.

Thank you.

I use something like that in my configuration.nix

  security = {
    # If enabled, pam_wallet will attempt to automatically unlock the user’s default KDE wallet upon login.
    # If the user has no wallet named “kdewallet”, or the login password does not match their wallet password,
    # KDE will prompt separately after login.
    pam = {
      services = {
        ${userSettings.username} = {
          kwallet = {
            enable = true;
            package = pkgs.kdePackages.kwallet-pam;
          };
        };
      };
    };
};

error:
… while evaluating the attribute ‘config.system.build.toplevel’
at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:1:12284:
… while calling the ‘seq’ builtin
at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:1:12293:
(stack trace truncated; use ‘–show-trace’ to show the full, detailed trace)

   error: undefined variable 'userSettings'
   at /etc/nixos/configuration.nix:94:7:
       93|   security.pam.services = {
       94|     ${userSettings.username} = {
         |       ^
       95|       kwallet = {

I’m sorry I just pasted a chunk of my config. In this place you have to put your user name.
I mean instead ${userSettings.username} print "your_user_name"
Read more here.
P.S. For more understanding read this article from ArchWiki but keep in mind it’s ArchLinux not NixOs.

On my system I get

journalctl --user-unit=plasma-kwallet-pam.service

> systemd[2870]: Started Unlock kwallet from pam credentials.
> pam_kwallet_init[3169]: 2025/05/27 22:13:05 socat[3169] W address is opened in read-write mode but only supports read-only

is there some more configuration needed?

1 Like

An easy way is to just set the password for the kwallet to nothing. Like literally. You go into the password setting prompt and do not type in anything. Then set, it will not prompt it anymore.

What is the security risk when doing so?


Why is the user password set but not accepted?