Não encontrei nada melhor que:
cat /etc/pam.d/common-auth
auth sufficient pam_usb.so
@include common-auth-nousb
cat /etc/pam.d/common-auth-nousb
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
head /etc/pam.d/sddm
#%PAM-1.0
# Block login if they are globally disabled
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
# auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth-nousb
# gnome_keyring breaks QProcess
-auth optional pam_gnome_keyring.so
Isso torna pam-auth-update
inútil, mas atinge o objetivo: agora eu posso inicializar com o pen drive inserido sem a necessidade de desbloquear o kwallet manualmente.