Hyprland (with UWSM): no secret service available on login (kwallet is installed but it won't start and autounlock)

shackra · September 11, 2025, 8:28pm

EDIT: to be precise, the issue is that the “wallet” is not automatically unlocked on login. I know that because after opening KWalletManager I can just click in “open,” put in my user password, and have the “wallet” open.

Hi,

My problem is similar to this one How to automatically unlock kwallet at start up?

However, after using the code suggested in the chosen solution, I still see no secret service available with kwallet (applications that depend on it complain there is no secret service).

  security = {
    # from
    # https://discourse.nixos.org/t/how-to-automatically-unlock-kwallet-at-start-up/61308/2
    #
    # If enabled, pam_wallet will attempt to automatically unlock the
    # user’s default KDE wallet upon login. If the user has no wallet
    # named “kdewallet”, or the login password does not match their
    # wallet password, KDE will prompt separately after login.
    pam = {
      services = {
        "jorge" = {
          kwallet = {
            enable = true;
            package = pkgs.kdePackages.kwallet-pam;
          };
        };
      };
      mount.additionalSearchPaths = [ pkgs.bindfs ];
    };
    sudo.enable = true;
    rtkit.enable = true;
  };

In a terminal, if I run kwalletd6 I see the following:

(process:12259): GLib-GIO-CRITICAL **: 14:20:17.517: g_dbus_proxy_get_object_path: assertion 'G_IS_DBUS_PROXY (proxy)' failed
Secret Service availability changed: Available
qt.dbus.integration: QDBusConnection: name 'org.kde.secretservicecompat' had owner '' but we thought it was ':1.381'

afterwards, if I open an application that requires the secret service, I’m prompted for the wallet password; from there on everything works as expected.

jhakonen · September 12, 2025, 5:52am

I think that solution is incorrect. You’re not supposed to use your username as the pam service’s name. Put there instead pam service name of the display manager you’re using. For SDDM you would use either login or sddm, for greetd you would use greetd, etc…

For example, I’m using greetd so my config looks like this:

    security.pam.services = {
      greetd.kwallet = {
        enable = true;
        package = pkgs.kdePackages.kwallet-pam;
      };
    };

You can see if kwallet’s pam service was loaded with query:

$ journalctl --boot --grep=pam_kwallet

If you got -- No entries -- then that means that the service name is likely incorrect. Adjust it and try again.
You should see something like this:

syys 12 07:49:01 dellxps13 greetd[2169]: pam_kwallet5(greetd:setcred): pam_kwallet5: pam_sm_setcred
syys 12 07:49:02 dellxps13 greetd[2169]: pam_kwallet5(greetd:session): pam_kwallet5: pam_sm_open_session
syys 12 07:49:02 dellxps13 greetd[2169]: pam_kwallet5(greetd:session): pam_kwallet5: not a graphical session, skipping. Use force_run parameter to ignore this.
syys 12 07:49:12 dellxps13 greetd[2241]: pam_kwallet5(greetd:auth): pam_kwallet5: pam_sm_authenticate
syys 12 07:49:12 dellxps13 greetd[2241]: pam_kwallet5(greetd:setcred): pam_kwallet5: pam_sm_setcred
syys 12 07:49:18 dellxps13 greetd[2241]: pam_kwallet5(greetd:session): pam_kwallet5: pam_sm_open_session
syys 12 07:49:18 dellxps13 greetd[2378]: pam_kwallet5: final socket path: /run/user/1000/kwallet5.socket
syys 12 07:49:18 dellxps13 uwsm_env-preloader[2407]:   PAM_KWALLET5_LOGIN
syys 12 07:49:18 dellxps13 uwsm_env-preloader[2407]:   PAM_KWALLET5_LOGIN

Once succesfully loaded, see if you have PAM_KWALLET5_LOGIN defined in your environment (this variable is set by pam_kwallet5 module):

$ printenv | grep PAM_KWALLET5_LOGIN
PAM_KWALLET5_LOGIN=/run/user/1000/kwallet5.socket

That variable is required for libexec/pam_kwallet_init (in kwallet-pam package) script which unlocks the kwallet.

shackra · September 16, 2025, 1:02am

wait, I marked your comment as the solution but nvm. I do see the corresponding output of journalctl --boot --grep=pam_kwallet and have the envvar set too. But, regardless, Proton Bridge complains it couldn’t detect a secret service.

I opened Brave Browser and was asked for my password, what am I missing?

jhakonen · September 17, 2025, 5:19am

Try accessing the secret service using libsecret’s CLI:

nix-shell -p libsecret
secret-tool store --label='testing' foo bar
secret-tool lookup foo bar
secret-tool clear foo bar

If those commands give some error like secret-tool: The name is not activatable then the secret service is indeed not up, and the error is not just with proton bridge.

If it errors out, I would make sure that pam_kwallet_init has been executed. There is a plasma-kwallet-pam.service that comes with kwallet-pam package which would call pam_kwallet_init normally, but it depend on other plasma services (which do not exist) so it may not be usable.

To overcome that, add call to ${pkgs.kdePackages.kwallet-pam}/libexec/pam_kwallet_init to your Hyprland’s config with exec-once, like in my config.

shackra · September 20, 2025, 5:14pm

I put that on my original post for clarification. I’ll test your theory on the next restart and let you know.

shackra · September 21, 2025, 6:55pm

Okay, yeah, you are correct:

➜  nix-shell -p libsecret
unpacking 'https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1' into the Git cache...
these 4 paths will be fetched (0.89 MiB download, 3.90 MiB unpacked):
  /nix/store/hq4c9wzzdnxj06f810b5rwkcvv0bb5cf-libgcrypt-1.11.1-lib
  /nix/store/10ahhmqpbmy6rpznpjjadwz8c722a256-libgpg-error-1.55
  /nix/store/nvxsavc5m25w942qggc7gn4bfkagqcy4-libsecret-0.21.7
  /nix/store/ggh2184cdrmaxa69x3hrgzhwhkwi3wyk-libsecret-0.21.7-dev
copying path '/nix/store/10ahhmqpbmy6rpznpjjadwz8c722a256-libgpg-error-1.55' from 'https://cache.nixos.org'...
copying path '/nix/store/hq4c9wzzdnxj06f810b5rwkcvv0bb5cf-libgcrypt-1.11.1-lib' from 'https://cache.nixos.org'...
copying path '/nix/store/nvxsavc5m25w942qggc7gn4bfkagqcy4-libsecret-0.21.7' from 'https://cache.nixos.org'...
copying path '/nix/store/ggh2184cdrmaxa69x3hrgzhwhkwi3wyk-libsecret-0.21.7-dev' from 'https://cache.nixos.org'...

[nix-shell:~]$ secret-tool store --label='testing' foo bar
Password:
secret-tool: The name is not activatable

[nix-shell:~]$

shackra · September 21, 2025, 10:05pm

okay, with your recommendation of Hyprland executing pam_kwallet_init I got this:

~
➜  nix-shell -p libsecret
unpacking 'https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1' into the Git cache...

[nix-shell:~]$ secret-tool store --label='testing' foo bar
Password:

[nix-shell:~]$

in other words, now it works!