Kwallet and KMail: What's GPG? What's Blowfish? Why a Blank Password?

When I first launch KMail on Tumbleweed, after it crashes and I relaunch it, midway through entering information into the Account Wizard, what appears to be a KWallet dialogue appears and tells me I must choose between GPG and “Blowfish”.

I don’t use encryption. I’ve heard of GPG, but have no idea what “Blowfish” is.

I’ve Googled “KWallet” and found interminable complaints and the near-universal suggestion to use a blank password. That’s what I did to get Kmail configured.

However, I’m not comfortable with using a blank password on what purports to be a password manager of sorts.

I’ve found no current KDE or Opensuse documentation about anything of this targeting users.

Is there a how-to out there that will lead me through all this? Presumably, KDE wants me to to use GPG since that’s the default option in that KWallet dialogue. How do I do that?

A search on GPG should lead you to

Basically, it’s a widely used and strong method of public cryptography where you publish a public key so it’s widely and freely available but is used to create private keys that ensure secure communications between the owner of the public key and anyone else. This has advantages over symmetric keys where you have to “pre-share” a key with the other person for encrypted communications (for email, S-MIME is the most common symmetric key encryption).

Blowfish is a cryptographic algorithm (not a key exchange method like GPG) for encoding your plain text. Other methods include the various SHA, MD5, MD6, AES, more. They’re just highly complex mathematical algorithms which are supposed to make it very difficult (not usually impossible nowadays) to read the content.

So, practically speaking…
GPG is generally used to encrypt the content of something that will be transferred from one person to another. It’s probably possible to encrypt local files but may be considered overkill. You always need to weigh complexity vs utility and what is practical.

Blowfish is just a choice if you decide to encrypt locally and do not intend to access remotely or send the files elsewhere.

AFAIK both common default implementations of GPG and Blowfish are strong enough to protect against common intrusions, but if your system is compromised you may have more to worry about than simply whether your WiFi and email passwords are stolen (not to say those aren’t important, too).

Most people make their decision on whether to use a blank password based on practicality. If you set up a password for kwallet, then every app that requires a password from kwallet also needs to know that password, so there is the possibility of breakage and troubleshooting. It might also mean you need to know how the app stores the password to pass to kwallet so can itself be insecure. Many people don’t think that is worth the trouble, it’s enough that the passwords are stored in a kwallet database and not on a plain text file. If kwallet was more reliable and seamless to use, I imagine more people might opt for setting higher security (requiring a password).


Since you are not familiar with GPG, select “blowfish”.

It won’t matter that you are not familiar with “blowfish”. It’s just an encryption algorithm. In practice, the effect is that you give a password for “kwallet”, and you provide that password whenever you are prompted to open “kwallet”.

I use GPG.

Before using it for “kwallet”, you should create your own GPG key. Simplest might be to just run either “kgpg” or “kleopatra”. Either of those should guide you through creating a GPG key.

If you do not want kwallet to manage your passwords just enter a blank it will no longer bother you

Can I use Kwallet to store all my passwords, ensure it never prompts me for its own password, and also avoid using a blank Kwallet password?

If I don’t intend to encrypt/sign mail, or anything else, is there any reason to use GPG?

As I mentioned, I don’t like the idea of using a blank password. I gather it’s the most common approach to using KWallet, and that seems to be asecurity issue. (Why use a password manager for security if almost everyone uses the same password to access it?)

For KDE apps yes but if you don’t want a prompt for kwallet do not set a password just leave blank. Which encryption method is immaterial it is just how the passwords are encrypted not any of you data.

There’s “kwallet-pam” which does this. But I don’t know how to set that up in Tumbleweed (or elsewhere in opensuse).e