To automatically mount an encrypted folder at user login, KDE users can use KDE Wallet to store gocryptfs passwords. There are several steps to achieve this.

# Prerequisites

KDE Wallet and KDE Wallet Manager (GUI) should be installed when KDE Desktop is installed. To use KDE Wallet, the KDE Wallet subsystem should be enabled and the user should be logging in to the KDE desktop.

# Unlock KDE Wallet automatically at login

The PAM unlocks only the default `kdewallet` on login, and the wallet password should be set identical to the user login. Note that only login by using password (passing the wallet secret) can unlock the wallet, not by biometrics / autologin.

To enable unlock of KDE Wallet, these lines should be present in the relevant PAM settings:

```
auth            optional        pam_kwallet5.so
session         optional        pam_kwallet5.so auto_start
```

The relevant file depends on the login manager used, such as:

-   `/etc/pam.d/sddm` for SDDM
-   `/etc/pam.d/gdm-password` for GDM
-   `/etc/pam.d/lightdm` for LightDM
-   `/etc/pam.d/login` (the `session` part should be set to `pam_kwallet5.so auto_start force_run`)

The files might differ for each distribution, consult the distribution's help like [KDE Wallet on Arch Linux Wiki](https://wiki.archlinux.org/title/KDE_Wallet#Configure_PAM).

# Storing the gocryptfs password

Store the password (key `gocryptfspass` in (default) folder `Passwords` is used in this example):

-   Using KDE Wallet manager (kwalletmanager):
    -   Expand the relevant folder (`Passwords`)
    -   Under the folder, right click on **Passwords** and select **New**
    -   Enter the label (`gocryptfspass`)
    -   Click **Show Contents** and type your gocryptfs password
    -   Click **Save**
-   Using CLI:  
    `echo "YOUR_PASSWORD_HERE" | kwallet-query -f Passwords -w gocryptfspass kdewallet`

Now the stored password can be accessed using

```bash
kwallet-query -f Passwords -r gocryptfspass kdewallet
```

# Mounting with password from KDE Wallet

The password can be used with the `--extpass` option:

```bash
gocryptfs --extpass="kwallet-query -f Passwords -r gocryptfspass kdewallet" /path/to/encrypted/folder /path/to/plain/folder
```

## Mounting on login

To have the mounted folder start when logging into KDE, create the a desktop file in autostart folder `~/.config/autostart` (like `~/.config/autostart/mount-gocryptfs.desktop`) with the previous command:

```
[Desktop Entry]
Exec=gocryptfs --extpass="kwallet-query -f Passwords -r gocryptfspass kdewallet" /path/to/encyrpted/folder /path/to/plain/folder
Name=mountgocryptfs
Type=Application
```