Kwallet security and LUKS

My setup is Manjaro KDE. I don’t use full-disk encryption but encrypt some drives on demand with LUKS. I have been in the habit of letting KWallet save the passphrases, which is the default behavior.

After reading about the security shortcomings of Kwallet, see

https://bbs.archlinux.org/viewtopic.php?id=233278

I think it would be a reasonable precaution to save LUKS passphrases in a different KWallet (not the default “kwallet”) since the default wallet is always open after login and has only the weakest access control (string check of the requesting application’s name if I understand correctly.)

The only answer to the question of how to change the wallet I have found so far is from the google AI, which tells me that with the opened LUKS partition, changing the location of the wallet that has the passphrase is as simple as

cryptsetup luksChangeKey --kwallet "kwallet-name" /dev/mapper/my_luks_name

but I can find no evidence in the cryptsetup-lukschangekey man page that a --kwallet option to cryptsetup luksChangeKey even exists. Maybe this is an AI hallucination.

How do I change the kwallet that LUKS uses to look up the passphrase for encrypted drives?

It does not exist, your conclusion is plausible and comprehensible… :smile:

Could take some years until AI tools are able to provide the right answer (= command) for these type of questions.