[HowTo] Use kwallet as a login keychain for storing SSH key passphrases on KDE

Difficulty: ★★☆☆☆


Every time you need to authenticate an SSH session on KDE you’ll be prompted for your SSH key passphrase. Below are the steps that to remove this “feature”:

  1. Set kwallet as a passphrase store for SSH keys.
  2. Start the SSH agent upon login as a systemd service.
  3. Add all private keys present in ~/.ssh/ to the SSH agent.


1. Install any required packages

Update your system and install the required packages as follows:

sudo pacman -Syu --needed kwallet ksshaskpass kwalletmanager

The modules required to unlock kwallet at login are located in the kwallet-pam and/or signon-kwallet-extension packages. Reinstalling these ensures you have everything. kwalletmanager isn’t necessary, but provides a convenient GUI to view the contents of kwallet .

2. Set the SSH_ASKPASS environmental variable

Use nano to create a new shell script named ssh-askpass.sh in /etc/profile.d/:

sudo nano /etc/profile.d/ssh-askpass.sh

Then add the following text:


export SSH_ASKPASS=/usr/bin/ksshaskpass

NB: Alternatively, if you do not wish make SSH_ASKPASS a system-wide environmental variable you can set it in ~/.zshenv, ~/.bashrc, or equivalent.

3. Set the SSH_AUTH_SOCK environmental variable

Use nano to edit your login shell, e.g. ~/.zshenv, ~/.bashrc, etc:

nano ~/.zshenv

Then add the following text:

export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR"/ssh-agent.socket

4. Create the ssh-agent systemd service

Create the user-level systemd directory if it does not already exist:

mkdir -p ~/.config/systemd/user

Use nano to create the following ssh-agent systemd service:

nano ~/.config/systemd/user/ssh-agent.service

Then add the following text:

Description=SSH agent (ssh-agent)

ExecStart=ssh-agent -D -a $SSH_AUTH_SOCK
ExecStop=kill -15 $MAINPID


5. Reload the user-level system daemon

Run the following code to reload the user-level system daemon:

systemctl --user daemon-reload

6. Enable the new user-level systemd service

Enable the new user-level systemd service:

systemctl --user enable ssh-agent.service

7. Create startup script to add SSH keys to the agent

Use nano to create the following ssh-add.desktop startup script:

nano ~/.config/autostart/ssh-add.desktop

Then add the following text:

[Desktop Entry]
Exec=ssh-add -q ~/.ssh/key1 ~/.ssh/key2 ~/.ssh/key3 < /dev/null

Note that your keys need to be listed in the Exec line.

8. Reboot

Reboot for the changes to take effect.

sudo systemctl reboot

9. Add your SSH key passphrases to kwallet

You may be prompted by a series of dialogue boxes asking for each of your SSH key passphrases. If not, run the following code for each of your SSH private keys to store their passphrases in kwallet:

ssh-add -q /path/to/key < /dev/null



Please have a look how to get it to work with ssh-agent running as systemd service.
in the arch forum under this title (I’m not allowed to post links):
plasma: ssh-add autoscript doesn’t work w ssh-agent as systemd-service

I’ve had a go at rewriting this. Let me know how you get on.


Hi I think it should be systemctl and not systemd in steps 5 and 6.



Welcome and right you are: wiki post edited accordingly


Ooooohhh, THANK YOU Feakster and friends!

I was trying the Arch Wiki instructions (as a matter of fact, those in the KDE Wallet and SSH Keys pages) but they were not working. What’s different is the use of a systemd service and SSH_ASKPASS export in the profile.

  • I was asked for my SSH keys’ passwords on next logon
  • Now VSCode (from AUR) does not ask for my key’s password when I connect to a remote VM with Remote-SSH

I couldn’t be happier! It’s a small thing, but being asked for my password everytime I changed folder on my VM in VS Code was really a pain.

1 Like

# ssh-add -q ~/.ssh/id_ed25519 < /dev/null
Could not open a connection to your authentication agent.

Looks like your ssh agent isn’t running.

Today I felt like I need to once again try this and have it fixed myself. My findings are as follows:

This is the only way it worked for me. Adding lines to ~/.bashrc, ~/.zshrc and ~/.config/fish made no effect.
So, a working route for me was adding

export SSH_ASKPASS=/usr/bin/ksshaskpass
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR"/ssh-agent.socket

to /etc/profile.d/ssh-askpass.sh

Another hiccup. Under no circumstances it worked as an auto-generated systemd service, failing each time and always. I made it work only with full path to the key of interest and without “< /dev/null” part. Neither tilde dash nor $HOME could be accepted in the path to ssh key.

And finally I have no prompt for the key password in Plasma - something I have had in Gnome by default since forever. Pity we have to jump so many hoops to get here but anyway it was well worth it.


Super helpful - thank you. For some reason the funtoo keychain simply does not work, and git asks for every push anyway, even though it says it is adding the keys to the keychain. Oh well. Done thinking about it thanks to this article.