KDE Plasma

Base KDE Plasma packages for the full Plasma experience. Bundle with other packages to prevent package conflicts providing the same functionality.

TIP: Include any and all packages you want installed in a list to pacman. That way pacman will resolve package dependencies correctly and not install packages that would cause conflicts with other packages later on in the setup; e.g. the plasma group installs pulseaudio as a dependency of plasma-pa, but pulseaudio and pipewire (see below) are conflicting packages, meaning they can't both be installed at the same time prompting you to remove one or the other. Explicitly selected packages take precedence over packages auto-selected via dependencies.

pacman -S plasma plasma-wayland-session kde-applications 

Setting up the display manager

Start

The SDDMplasma onpackage boot

Startincludes the Simple Desktop Display Manager (SDDM) for signing into KDE Plasma sessions and others.

Enable SSDM to start on boot toand be presented withpresent a graphical login screen.interface:

systemctl enable sddm

Set

SDDM Keymapuses the X11 keymap to determine the input method for SDDM

NOTE: Executing this command while chrooted into an installation will produce an error that the locale could not be found. Set after rebooting the system, press CTRL + ALT + F3 when SDDM shows up (or any F-key between 2 and 7) to switch tty, log in via the command line and execute the command as root.

localectl set-x11-keymap de

Generate well-known user directories

xdg-user-dirs-update

KDE Wallet

KDE Wallet is the integrated password manager and secret store of KDE Plasma. It stores passwords to websites, WiFi networks, network shares, SSH keys and more.

Unlock Wallet automatically on login

InstallTo automatically unlock your wallet on login, the kwallet-pam package provides the necessary PAM modules (already part of the plasma package group).

There are several caveats to consider:

• Only blowfish encryption is supported
• Wallet can only be unlocked if the autologin method saves the password, e.g. when using pam_autologin
• Wallet cannot be unlocked when logging in with a fingerprint
• Wallet must be named kdewallet (default name)
• Disabling automatic closing of Wallet may be desired to keep it from asking for the password after every use
• When choosing to secure Wallet with a password it must match the user account password

Automatic unlocking can also be achieved by setting no password. Do keep in mind, however, that this could lead to potentially undesired read/write access to your secrets. Enabling Prompt when an application accesses a wallet under Access Control is highly recommended.

When setting up with SDDM as display manager (default for Plasma) no further PAM configuration is necessary, as the config comes with SDDM.

Using Wallet to storeStoring SSH key passphrases in Wallet

InstallKDE Wallet can be used to store passphrases for SSH keys and have a KDE prompt appear asking for the password.

To also automatically unlock the SSH keys a SSH agent needs to be set up and running.

The openssh package (since version 9.4p1-3) comes with a systemd user unit to start the SSH agent on login regardless of a graphical session running:

NOTE: This needs to be run as the user you set up earlier, without sudo.

systemd enable --user ssh-agent

The user unit creates a Unix socket for other applications to communicate with the agent. For these applications to know this socket, the SSH_AUTH_SOCK environment variable needs to be set. This can be achieved via user-specific systemd environment variables.

On login, systemd parses *.conf files in ~/.config/environment.d/ and sets environment variables from these. Environment variables are set in a KEY=VALUE fashion.

Create a new file ~/.config/environment.d/ssh_agent.conf:

SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/ssh-agent.socket

Additionally, to have a KDE dialog box appear in case the passphrase is not stored in your Wallet, point the SSH_ASKPASS environment variable to the ksshaskpass application (alreadyalso partincluded ofin the plasma package group).

Start ssh-agent upon login

Create a new systemd user unit at ~/.config/systemd/user/ssh-agent.service with the following contents:

[Unit]
Description=SSH key agent

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
# DISPLAY required for ssh-askpass to work
Environment=DISPLAY=:0
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK

[Install]
WantedBy=default.target

Autostart .desktop entry

Create ~/.config/autostart/ssh-add.desktop with following contents:

[Desktop Entry]
Exec=ssh-add -q
Name=ssh-add
Type=Application

[Desktop Entry]
Exec=ssh-add -q ~/.ssh/key1 ~/.ssh/key2 ~/.ssh/key3
Name=ssh-add
Type=Application

Setting ksshaskpass as passphrase prompter

Create the systemd user environment file at ~/.config/environment.d/ssh_askpass.conf with following contents:

SSH_ASKPASS='/usr/bin/ksshaskpass'ksshaskpass
SSH_ASKPASS_REQUIRE=prefer

This

Chromium-based will set ksshaskpass as the default SSH key passphrase prompter for graphical environments.

Wallet for Google Chrome password storebrowsers

To make Chromium-based browsers (Google ChromeChrome, Microsoft Edge, Brave, Opera, etc.) use Wallet as a password store launch it with --password-store=kwallet5 or --password-store=detect.

To make this launch argument persistent, add the argumentit to the "flags" file for the Chromium-based browser you want to use:

NOTE:

• Chromium: chromium-flags.conf

See also: Making flags persistent