Results 1 to 9 of 9

Thread: Kwallet and KMail: What's GPG? What's Blowfish? Why a Blank Password?

  1. #1

    Default Kwallet and KMail: What's GPG? What's Blowfish? Why a Blank Password?

    When I first launch KMail on Tumbleweed, after it crashes and I relaunch it, midway through entering information into the Account Wizard, what appears to be a KWallet dialogue appears and tells me I must choose between GPG and "Blowfish".

    I don't use encryption. I've heard of GPG, but have no idea what "Blowfish" is.

    I've Googled "KWallet" and found interminable complaints and the near-universal suggestion to use a blank password. That's what I did to get Kmail configured.

    However, I'm not comfortable with using a blank password on what purports to be a password manager of sorts.

    I've found no current KDE or Opensuse documentation about anything of this targeting users.

    Is there a how-to out there that will lead me through all this? Presumably, KDE wants me to to use GPG since that's the default option in that KWallet dialogue. How do I do that?

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,293
    Blog Entries
    2

    Default Re: Kwallet and KMail: What's GPG? What's Blowfish? Why a Blank Password?

    A search on GPG should lead you to
    https://www.gnupg.org/

    Basically, it's a widely used and strong method of public cryptography where you publish a public key so it's widely and freely available but is used to create private keys that ensure secure communications between the owner of the public key and anyone else. This has advantages over symmetric keys where you have to "pre-share" a key with the other person for encrypted communications (for email, S-MIME is the most common symmetric key encryption).

    Blowfish is a cryptographic algorithm (not a key exchange method like GPG) for encoding your plain text. Other methods include the various SHA, MD5, MD6, AES, more. They're just highly complex mathematical algorithms which are supposed to make it very difficult (not usually impossible nowadays) to read the content.

    So, practically speaking...
    GPG is generally used to encrypt the content of something that will be transferred from one person to another. It's probably possible to encrypt local files but may be considered overkill. You always need to weigh complexity vs utility and what is practical.

    Blowfish is just a choice if you decide to encrypt locally and do not intend to access remotely or send the files elsewhere.

    AFAIK both common default implementations of GPG and Blowfish are strong enough to protect against common intrusions, but if your system is compromised you may have more to worry about than simply whether your WiFi and email passwords are stolen (not to say those aren't important, too).

    Most people make their decision on whether to use a blank password based on practicality. If you set up a password for kwallet, then every app that requires a password from kwallet also needs to know that password, so there is the possibility of breakage and troubleshooting. It might also mean you need to know how the app stores the password to pass to kwallet so can itself be insecure. Many people don't think that is worth the trouble, it's enough that the passwords are stored in a kwallet database and not on a plain text file. If kwallet was more reliable and seamless to use, I imagine more people might opt for setting higher security (requiring a password).

    TSU

  3. #3
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,629
    Blog Entries
    3

    Default Re: Kwallet and KMail: What's GPG? What's Blowfish? Why a Blank Password?

    Quote Originally Posted by buzzrobot View Post
    When I first launch KMail on Tumbleweed, after it crashes and I relaunch it, midway through entering information into the Account Wizard, what appears to be a KWallet dialogue appears and tells me I must choose between GPG and "Blowfish".
    Since you are not familiar with GPG, select "blowfish".

    It won't matter that you are not familiar with "blowfish". It's just an encryption algorithm. In practice, the effect is that you give a password for "kwallet", and you provide that password whenever you are prompted to open "kwallet".
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,629
    Blog Entries
    3

    Default Re: Kwallet and KMail: What's GPG? What's Blowfish? Why a Blank Password?

    Quote Originally Posted by buzzrobot View Post
    Is there a how-to out there that will lead me through all this? Presumably, KDE wants me to to use GPG since that's the default option in that KWallet dialogue. How do I do that?
    I use GPG.

    Before using it for "kwallet", you should create your own GPG key. Simplest might be to just run either "kgpg" or "kleopatra". Either of those should guide you through creating a GPG key.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  5. #5
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,746

    Default Re: Kwallet and KMail: What's GPG? What's Blowfish? Why a Blank Password?

    If you do not want kwallet to manage your passwords just enter a blank it will no longer bother you

  6. #6

    Default Re: Kwallet and KMail: What's GPG? What's Blowfish? Why a Blank Password?

    Quote Originally Posted by tsu2 View Post
    Most people make their decision on whether to use a blank password based on practicality. If you set up a password for kwallet, then every app that requires a password from kwallet also needs to know that password, so there is the possibility of breakage and troubleshooting. It might also mean you need to know how the app stores the password to pass to kwallet so can itself be insecure. Many people don't think that is worth the trouble, it's enough that the passwords are stored in a kwallet database and not on a plain text file. If kwallet was more reliable and seamless to use, I imagine more people might opt for setting higher security (requiring a password).
    Can I use Kwallet to store all my passwords, ensure it never prompts me for its own password, and also avoid using a blank Kwallet password?

    If I don't intend to encrypt/sign mail, or anything else, is there any reason to use GPG?

  7. #7

    Default Re: Kwallet and KMail: What's GPG? What's Blowfish? Why a Blank Password?

    Quote Originally Posted by gogalthorp View Post
    If you do not want kwallet to manage your passwords just enter a blank it will no longer bother you
    As I mentioned, I don't like the idea of using a blank password. I gather it's the most common approach to using KWallet, and that seems to be asecurity issue. (Why use a password manager for security if almost everyone uses the same password to access it?)

  8. #8
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,746

    Default Re: Kwallet and KMail: What's GPG? What's Blowfish? Why a Blank Password?

    For KDE apps yes but if you don't want a prompt for kwallet do not set a password just leave blank. Which encryption method is immaterial it is just how the passwords are encrypted not any of you data.

  9. #9
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,629
    Blog Entries
    3

    Default Re: Kwallet and KMail: What's GPG? What's Blowfish? Why a Blank Password?

    Quote Originally Posted by buzzrobot View Post
    Can I use Kwallet to store all my passwords, ensure it never prompts me for its own password, and also avoid using a blank Kwallet password?
    There's "kwallet-pam" which does this. But I don't know how to set that up in Tumbleweed (or elsewhere in opensuse).
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •