Network Manager knows four values for the 802.1x.private-key-password-flags setting: 0 (= None, ask always), 1 (= Agent Owned), 2 (= Not Saved) or 4 (= Not Required). If a Profile exists that has its 802.1x.private-key-password-flags set to 4 (e.g. because the underlying key is saved in a hardware token without PIN), kcm_networkmanagement resets this on any edit of the connection profile to 0. ## Root Cause: https://invent.kde.org/plasma/plasma-nm/-/blob/master/libs/editor/settings/security802-1x.cpp?ref_type=heads#L148 ff parses the enum to entries in the Dropdown for editing. It does not handle the case "not required", thus defaulting to 0 (= ask always). Consequently, during saving the value 4 for not required also cannot be serialized (https://invent.kde.org/plasma/plasma-nm/-/blob/master/libs/editor/settings/security802-1x.cpp?ref_type=heads#L351 ff). Note that fixing this likely requires modification of the PasswordField widget for which I could not find the source code easily as I am not deeply familiar with the codebase.
You got close! The widget lives here: https://invent.kde.org/plasma/plasma-nm/-/blob/master/libs/editor/widgets/passwordfield.cpp?ref_type=heads If you could produce a patch, that would be really appreciated. If you do, send it here: https://invent.kde.org/plasma/plasma-nm/-/merge_requests
Thanks for the link! I should have everything together for a patch then, but it will take a few days since I have to cross some company red tape.
Cool, no problem.
Git commit 5827abdde6e0a3aa2d701037a2b0c5a4004c0bb0 by Nate Graham, on behalf of Katharina Bogad. Committed on 28/05/2026 at 17:04. Pushed by ngraham into branch 'master'. 802.1x: Allow "Not Required" for Private Key Passwords The settings silently swallowed 802.1x connections with private key password flags set to 4 (=Not Required) and reset them to 0 upon saving. This was due to two unrelated bugs: (a) in TLS connections, the flag is not in the passwordFlags bug in the privateKeyPasswordFlags which were never examined, and (b) both loading and saving lacked code to properly serialize this flag. FIXED-IN: 6.7.0 M +19 -2 libs/editor/settings/security802-1x.cpp https://invent.kde.org/plasma/plasma-nm/-/commit/5827abdde6e0a3aa2d701037a2b0c5a4004c0bb0
Git commit 4646f07ed2928b652d159ce280ad5e6341110385 by Nate Graham. Committed on 28/05/2026 at 17:05. Pushed by ngraham into branch 'Plasma/6.7'. 802.1x: Allow "Not Required" for Private Key Passwords The settings silently swallowed 802.1x connections with private key password flags set to 4 (=Not Required) and reset them to 0 upon saving. This was due to two unrelated bugs: (a) in TLS connections, the flag is not in the passwordFlags bug in the privateKeyPasswordFlags which were never examined, and (b) both loading and saving lacked code to properly serialize this flag. FIXED-IN: 6.7.0 (cherry picked from commit 5827abdde6e0a3aa2d701037a2b0c5a4004c0bb0) 2dd298ee 802.1x: Allow "Not Required" for Private Key Passwords Co-authored-by: Katharina Bogad <katharina.bogad@aisec.fraunhofer.de> M +19 -2 libs/editor/settings/security802-1x.cpp https://invent.kde.org/plasma/plasma-nm/-/commit/4646f07ed2928b652d159ce280ad5e6341110385