Update split-ssh.md

This commit is contained in:
Santori Helix 2020-11-18 21:40:57 +00:00 committed by GitHub
parent 2de68c3600
commit b500f8e161
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -18,7 +18,8 @@ This way the compromise of the domain you use to connect to your remote server d
## Prepare Your System ## Prepare Your System
0. (Optional) Take a system snapshot before you start tuning your system or do any major installations. To perform a Qubes OS backup please read and follow this guide in the [User Documentation][CreateBackup]. 0. (Optional) Take a system snapshot before you start tuning your system or do any major installations.
To perform a Qubes OS backup please read and follow this guide in the [User Documentation][CreateBackup].
1. Make sure the TemplateVM you plan to use is [up to date][update]. 1. Make sure the TemplateVM you plan to use is [up to date][update].
@ -58,7 +59,8 @@ This way the compromise of the domain you use to connect to your remote server d
## [Creating AppVMs][appvm create] ## [Creating AppVMs][appvm create]
If youve installed Qubes OS using the default options, a few qubes including a vault AppVM has been created for you. Skip the first step if you don't wish to create another vault. If youve installed Qubes OS using the default options, a few qubes including a vault AppVM has been created for you.
Skip the first step if you don't wish to create another vault.
1. Create a new vault AppVM (`vault`) based on your chosen template. Set networking to `(none)`. 1. Create a new vault AppVM (`vault`) based on your chosen template. Set networking to `(none)`.
@ -200,7 +202,8 @@ With this configuration you'll be prompted for a password the first time you sta
### In an SSH Client AppVM terminal ### In an SSH Client AppVM terminal
Theoretically, you can use any AppVM but to increase security it is advised to create a dedicated AppVM for your SSH connections. Furthermore, you can set different firewall rules for each VM (i.e. for intranet and internet connections) which also provides additional protection. Theoretically, you can use any AppVM but to increase security it is advised to create a dedicated AppVM for your SSH connections.
Furthermore, you can set different firewall rules for each VM (i.e. for intranet and internet connections) which also provides additional protection.
1. Edit `/rw/config/rc.local` 1. Edit `/rw/config/rc.local`
@ -254,7 +257,8 @@ Theoretically, you can use any AppVM but to increase security it is advised to c
**Warning:** This part is for setting up *KeePassXC*, not KeePassX or KeePass. See the [KeePassXC FAQ][KeePassXC FAQ]. **Warning:** This part is for setting up *KeePassXC*, not KeePassX or KeePass. See the [KeePassXC FAQ][KeePassXC FAQ].
0. KeePassXC should be installed by default in both Fedora and Debian TemplateVMs. If this changes in the future and you find that it isn't, it can be installed with: 0. KeePassXC should be installed by default in both Fedora and Debian TemplateVMs.
If this changes in the future and you find that it isn't, it can be installed with:
For Fedora templates:<br/> For Fedora templates:<br/>
```shell_prompt ```shell_prompt
@ -281,7 +285,8 @@ Theoretically, you can use any AppVM but to increase security it is advised to c
![naming screen](https://aws1.discourse-cdn.com/free1/uploads/qubes_os/original/1X/0925cd8e469b6194f80b1e46e51d7f137a01dd74.png) ![naming screen](https://aws1.discourse-cdn.com/free1/uploads/qubes_os/original/1X/0925cd8e469b6194f80b1e46e51d7f137a01dd74.png)
4. Adjust the encryption settings. Check the [KeePassXC User Guide][KeePassXC User Guide] for more information about these settings. 4. Adjust the encryption settings.
Check the [KeePassXC User Guide][KeePassXC User Guide] for more information about these settings.
![encryption settings](https://aws1.discourse-cdn.com/free1/uploads/qubes_os/optimized/1X/8537b07f453a0950d72cb51b9b5339e0f7bfc3c4_2_690x472.png) ![encryption settings](https://aws1.discourse-cdn.com/free1/uploads/qubes_os/optimized/1X/8537b07f453a0950d72cb51b9b5339e0f7bfc3c4_2_690x472.png)
@ -388,6 +393,14 @@ Some tips for securing your keys against a `vault` VM compromise include:
* Add a second encryption layer (e.g. with VeraCrypt, \*.7z with password). * Add a second encryption layer (e.g. with VeraCrypt, \*.7z with password).
* Adjust the encrpytion settings in KeePassXC as per the [KeePassXC documentation][KeePassXC User Guide]. * Adjust the encrpytion settings in KeePassXC as per the [KeePassXC documentation][KeePassXC User Guide].
## Current limitations
* It is possible for a malicious VM to hold onto an ssh-agent connection for more than one use.
Therefore, if you authorize usage once, assume that a malicious VM could then use it many more times.
In this case, though, the SSH Agent should continue to protect your private keys; only usage of it would be available to the malicious VM until it was shut down.
* It doesnt solve the problem of allowing the user to know what is requested before the operation gets approved.
Want more Qubes split magic? Want more Qubes split magic?
Check out [Split-GPG][Split-GPG]. Check out [Split-GPG][Split-GPG].