Bug 482438

Summary: Support key slot like LUKS, so people can use both password or smartcard to unlock kwallet
Product: [Frameworks and Libraries] frameworks-kwallet Reporter: Celeste Liu <uwu>
Component: generalAssignee: Valentin Rusu <valir>
Status: REPORTED ---    
Severity: normal CC: kdelibs-bugs-null
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Celeste Liu 2024-03-05 06:27:14 UTC 
SUMMARY

KWallet only supports one password to unlock kwallet. People may want to use FIDO/PIV to unlock wallets so they needn't input a password after logging in by using FIDO/PIV, and can use a password if the security key is unavailable. LUKS also faces this problem, so they designed a mechanism: no longer use passwords directly, a LUKS has multiple key slots, and any key of slots can unlock LUKS. So with additional work like systemd-cryptenroll, the FIDO device can generate a strong key as a new key slot. So people can use both passwords and FIDO/PIV to unlock LUKS.

You can see so document on the LUKS key slot in https://gitlab.com/cryptsetup/cryptsetup/blob/master/docs/on-disk-format-luks2.pdf

EXPECTED BEHAVIOR

KWallet has a similar key slot feature, so users can use FIDO/PIV to both login and unlock kwallet.