CLI for the KDE Wallet

Sponsored by
HostEurope Logo

CLI for the KDE Wallet

Table of Content

Homepage of the Command-Line Interface to the KDE Wallet.

Get the Logo (SVG).

kwalletcli Logo

CLI for the KDE Wallet

What's it? A command-line interface to the KDE Wallet, for KDE 3, KDE 4 and KF5 (so shell scripts, Python, etc. do not need to use DCOP or D-Bus directly to access it to store passwords, instead being able to call this convenient wrapper). KF5 does come with a kwallet-query utility, however, it requires the caller to know the name of the default wallet, which most scripts won’t know, and lacks kwalletcli’s extra utilities.

Please read the wlog entry announcing kwalletcli public beta test for some more background information. Currently, only the default wallet is supported; while the CLI itself could be enhanced by a selection, the utilities also provided cannot really expose this functionality.

kwalletcli is OSI Certified Open Source Software™


Current version: kwalletcli 3.03 (2021-01-25)


The kwalletcli distfile provides a number of things:


Possible extensions include gnome-keyring bindings as well as some for the new KDE/GNOME intra-desktop keyring/wallet standard talking D-Bus instead of using the libkwalletclient convenience libraries; support for selecting a non-default keyring; more utilities on top of kwalletcli(1) (e.g. a libpurple plugin, and means for M*zilla Firef*x, Opera and other desktop software to use it to store passwords in the Wallet).

Bring Qt and KDE projects to agree about KWallet::Wallet::openWallet vs. QApplication::desktop()->screen()->winId() deprecation!


Debian has a kwalletcli (KDE 4) package from squeeze to jessie. The lenny-backports repository contains a kwalletcli (KDE 3) package. Debian stretch and newer ship a kwalletcli compiled for KF5; KDE 3/4 packages are available from the “WTF” APT repository (not official Debian). It is also packaged for Arch Linux, Slackware, several Gentoo portage overlays, in home:syeg on the OpenSuSE buildservice (various RPMs), for Chakra Linux, RHEL, and Fedora. Suggested packaging: various BSDs’ ports framework (MidnightBSD provides KDE anyway, others will also do), etc. — If the KDE (upstream) project desires, they may include it (under the licence included) in their framework and ship it by default.


Either Qt3 and KDE3, or Qt4 and KDE4, or Qt5 and KF5, development headers and libraries, and the matching compiler (gcc/g++ is tested, others are not). Either MirMake (MirBSD make(1)) or GNU make. For the scripts, mksh R38+ is a run-time dependency. The manpages require nroff/gnroff and the -mdoc macropackage to compile. The HTML manpages can only be re-made on MirBSD.

Language Bindings

C binding

See the source file kwalletcli.h for details. This is the source-level C binding API (function kw_io() and a couple of return value definitions) that can be re-used. There is no C++ binding, because the high-level KWallet API is already C++, although, for ease of use, the C binding can be used from others' C++ code as well.

Python binding (external)

There's a sample Python 2 binding (we don't know which exact minimum version is required) contributed to the Gajim source code (dual-licenced under the same licence as Gajim (GPLv3 only), as well as the same licence (MirBSD) as kwalletcli). The binding was originally written by the author of kwalletcli as well.

Note that the Python binding uses subprocess.Popen() and the Shell binding to do the actual work.

Shell binding

The kwalletcli(1) manpage provides a documentation of the shell binding. The other utilities part of the distribution, as well as the Python binding, serve as usage examples.

Python example (contrib)

This is a user-contributed example in Python, submitted by Stephen McIntosh:

import kwalletbinding as kw
def operation():
    op = raw_input("Add or Read? ")
    return op
def addpass():
      raw_input("Name: "),
      raw_input("Password: "))
def getpass():
    readpass = kw.kwallet_get('kdewalletcli',
      raw_input("Name: "))
    print "...\nThe password is: " + readpass

if kw.kwallet_available():
    op = operation()
    if op.lower() == "add":
    print "KDE Wallet not available!"

(edited slightly for legibility)


Passwords can, of course, only be accessed if the KDE Wallet is opened. Hence, the on-disc security of the passwords is the same as for all other applications using it. We make no statement on its security (the GnuPG mailing lists have some flamewars about it), but if this is “enough” for you (or, if you are a company sysadmin, your boss), you're welcome. On the other hand, since the KDE pop-up will only show “kwalletcli”, not the application/script using it, when it asks whether access to the Wallet is to be permitted, password stealing by untrusted-local applications is easier (but if you have these, you have totally different problems anyway). Hence, we suggest to “allow always” access for kwalletcli(1) and take the usual care when installing and running applications from third parties.

If you turn “iodebug” in pinentry-kwallet on, it will log the entire dialogue with both parent and co-process, including passwords, to a file in your home directory. (This can only be done by editing the script directly, which is why we refrain from warning the user in a dialogue, as an attacker can also remove that warning.)


The “Gajim” Jabber client supported kwalletcli, by means of the Python binding, for storing Jabber passwords in the KDE Wallet in an encrypted manner, from version 0.13 (committed after some discussion; Gajim already supported gnome-keyring) to 0.16.9, when they switched to another keyring-abstracting library.


kwalletcli 3.03

kwalletcli 3.02

kwalletcli 3.01

kwalletcli 3.00

kwalletcli 2.12

kwalletcli 2.11

kwalletcli 2.10

kwalletcli 2.03

MirBSD Logo