482438 – Support key slot like LUKS, so people can use both password or smartcard to unlock kwallet

Bug 482438 - Support key slot like LUKS, so people can use both password or smartcard to unlock kwallet

Summary: Support key slot like LUKS, so people can use both password or smartcard to u...

Status:	REPORTED

Alias:	None

Product:	frameworks-kwallet
Classification:	Frameworks and Libraries
Component:	general (other bugs)
Version First Reported In:	unspecified
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Valentin Rusu

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-03-05 06:27 UTC by Celeste Liu
Modified:	2024-03-05 06:27 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Celeste Liu 2024-03-05 06:27:14 UTC

SUMMARY

KWallet only supports one password to unlock kwallet. People may want to use FIDO/PIV to unlock wallets so they needn't input a password after logging in by using FIDO/PIV, and can use a password if the security key is unavailable. LUKS also faces this problem, so they designed a mechanism: no longer use passwords directly, a LUKS has multiple key slots, and any key of slots can unlock LUKS. So with additional work like systemd-cryptenroll, the FIDO device can generate a strong key as a new key slot. So people can use both passwords and FIDO/PIV to unlock LUKS.

You can see so document on the LUKS key slot in https://gitlab.com/cryptsetup/cryptsetup/blob/master/docs/on-disk-format-luks2.pdf

EXPECTED BEHAVIOR

KWallet has a similar key slot feature, so users can use FIDO/PIV to both login and unlock kwallet.