Roshani's KDE & GSoC Blog

Week 5: KWallet XML Import & Password Generator

This week I shipped two new features for KeepSecret. KWallet XML Import (!34)

The Import menu on the wallet page is now a submenu with two options:

-KeepSecret…

-KWallet XML…

Both import formats are converted into the same internal format, allowing them to use the existing import code. I only implemented import support, since exporting to the old KWallet format wasn't necessary because KWallet is being deprecated.

Password Generator (!35)

I added a Generate button to the Create New Entry dialog. Clicking it generates a random 16-character password and fills the password field.

The password is generated in SecretItemProxy::generatePassword() using QRandomGenerator::global(), which uses the operating system's secure random source. A character set is built from the selected options (lowercase letters, uppercase letters, numbers, and symbols), and each character is chosen randomly from that set. This also allows passwords to include symbols like !@#$%^&*.

The function returns a QByteArray instead of a QString, matching the existing code and avoiding an unnecessary copy of the secret in C++.

During code review, Michael K83 pointed out that secrets stored in normal QByteArray or QString objects are not automatically erased from memory after use. He suggested looking at how ksecretd and KeePassXC handle secure memory.

Marco Martin explained that an even bigger challenge exists once the password reaches QML. The password becomes a QString inside the QML engine, where Qt may create multiple internal copies that cannot be explicitly cleared. It will be addressed separately in issue #25.