Step‑by‑step guide to have your KDE Wallet (KWallet) automatically unlock when you log in via **ly** and then start **Hyprland**

KWallet-pam-ly-hyprland.md

Below is a step‑by‑step guide to have your KDE Wallet (KWallet) automatically unlock when you log in via ly and then start Hyprland. In short, you’ll:

1. Install the PAM module (kwallet-pam) and ensure your wallet password matches your user password
2. Hook PAM in ly’s login routine so it hands off your login password to KWallet
3. Autostart the helper (pam_kwallet_init) in your Hyprland config so that the wallet actually opens

With these in place, applications like Dolphin or Brave should stop nagging you for the wallet password after you’ve already logged in.

1. Install the necessary packages

Make sure you have the core KWallet components and the PAM integration module:

sudo pacman -S kwallet kwallet-pam kwalletmanager

• kwallet-pam provides the PAM module that lets your login password decrypt the wallet.
• kwallet is the Wallet daemon itself, and kwalletmanager is a GUI for managing your vaults.

2. Configure PAM to unlock KWallet in ly

The ly display manager uses its own PAM stack (/etc/pam.d/ly). You need to insert two lines so that ly’s authentication and session phases include the KWallet PAM module.

1. Open /etc/pam.d/ly as root (e.g. sudo nano /etc/pam.d/ly).
2. Under the auth section, add:

   auth    optional    pam_kwallet5.so
   

3. Under the session section, add:

   session optional    pam_kwallet5.so auto_start force_run
   

   • The auto_start flag tells it to launch the wallet daemon.
   • The force_run flag is needed when you log in on a plain TTY (which ly essentially is).
4. Save and exit.

💡 Why these lines?

• auth optional pam_kwallet5.so lets PAM hand off your login password to the wallet module.
• session optional pam_kwallet5.so auto_start force_run launches and unlocks the wallet once your session starts, even from a TTY.

If you don’t see a /etc/pam.d/ly, make sure ly is properly installed (it should drop that file). You can compare with /etc/pam.d/sddm or /etc/pam.d/lightdm to verify the correct placement.

3. Autostart the wallet helper in Hyprland

PAM will hand off the password, but your Wayland session still needs to actually run the helper binary. Add the following to your Hyprland config (e.g. ~/.config/hypr/hyprland.conf):

# run once when the Wayland session starts
exec-once = /usr/lib/pam_kwallet_init

or, if you prefer the systemd‐style wrapper:

exec-once = env XDG_AUTOSTART_DIR="$XDG_CONFIG_DIRS/autostart" /usr/bin/gtk-launch pam_kwallet_init

This matches the ArchWiki recommendation for “Unlocking KWallet automatically in a window manager.”

⚠️ Note: Some guides suggest exec --no-startup-id /usr/lib/pam_kwallet_init; Hyprland’s syntax is exec-once, but the idea is the same.

4. Double‑check wallet settings

1. Wallet name & encryption
   • Your wallet must be named kdewallet (the default) and use Blowfish encryption.
2. Password match
   • The KWallet password must exactly match your user login password for PAM to work.
3. Autologin & fingerprints
   • Automatic unlock won’t work if you use fingerprint login or an autologin method that doesn’t save the password.

5. Restart, log in, test

1. Reload or reboot your system:

   sudo systemctl restart ly.service
   reboot

2. At the ly prompt, log in as usual.
3. Once Hyprland starts, open Dolphin or your browser—KWallet should now already be unlocked.

If you still get prompted, check the journal for PAM errors:

journalctl -b | grep pam_kwallet

and verify that /usr/lib/pam_kwallet5.so is being invoked.

---

With these steps, your KWallet will play nicely with ly + Hyprland: one login, no extra wallet‐unlocking dance!

hi, i did this and the auto unlock works, but if i open a chromium browser on hyprland and them login on a bunch of sites, swap my session to plasma and open a browser there, then swap again to hyprland all the websites will be logged out. do you have any idea how to prevent that happening?

Changing exec-once to exec

exec-once only once per Hyprland launch, and never again until you fully exit and restart Hyprland.

So if you:

1. Boot into Hyprland exec-once runs
2. Switch to Plasma (Hyprland exit)
3. Switch back to Hyprland exec-once does not run again

That's why your KWallet daemons might not get re-launched or re-initialized when switching sessions. Even though the desktop restarts, exec-once thinks it already did its job.

Find a problem

1. Check if daemons are running

pgrep -x kwalletd6 && echo "kwalletd6 is running"

If either command prints nothing after you switch back to Hyprland, that daemon died and is why your wallet vanished.

2. Inspect PAM hooks

journalctl -b | grep pam_kwallet

You should see lines confirming pam_kwallet5.so auto_start ran at login. If you don’t, your wallet never unlocked in this session.

forgot to mention that the "swap" i do is a full logout and logon through sddm so the exec-once should have triggered.
i also made sure the wallet was open with kwallet manager

did some more investigation, and it seeems that chromium access kwallet through the portal in plasma but on hyprland it opens kwallet directly

hi, i did this and the auto unlock works, but if i open a chromium browser on hyprland and them login on a bunch of sites, swap my session to plasma and open a browser there, then swap again to hyprland all the websites will be logged out. do you have any idea how to prevent that happening?

adding "--password-store=kwallet6" to Chrome/Electron app's desktop file will fix that.
This can probably also be fixed with an ENV var, but I don't know what it is.