qubes-doc/security/open-pgp.md

---
layout: doc
title: OpenPGP
permalink: /en/doc/open-pgp/
redirect_from:
- /doc/OpenPGP/
- "/doc/UserDoc/OpenPGP/"
- "/wiki/UserDoc/OpenPGP/"
---

**Note 2014-08-03: This page is deprecated by [SplitGpg](/en/doc/split-gpg/). The content of this page has been integrated into that page.**

Using OpenPGP in Qubes
======================

One of the main advantages of Qubes is that it allows the user to isolate sensitive data in network-disconnected VMs. This is particularly useful in the case of securing secret keys. Work on split GPG is currently ongoing (\#474), but it's still possible to set up a very secure system right now.

Basic Instructions
------------------

The basic procedure is to create a master keypair and any number of signing/encryption subkeys in your ultimately trusted "vault" domain. The secret portion of the master keypair should never leave your vault. The public portion of the master key, along with the subkeys, can then be [copied](/wiki/VmTools/QvmCopyToVm) to any number of less trusted domains, e.g. "work," where they will be used normally. If your work domain is ever compromised (and your subkeys along with it), your master key will still be safe, and you can issue new subkeys. For detailed instructions, see the [tutorials and discussions](/wiki/UserDoc/OpenPGP#TutorialsandDiscussions) below.

Security Recommendations
------------------------

(Note: Here "vault" refers to whichever domain you have chosen to house the secret portion of your master keypair.)

1.  Key Isolation

> > All keys should be created in the vault, and the secret portion of the master keypair should never leave it.

1.  No Vault Networking

> > The vault should not be connected to a network (NetVM: none).

1.  No Vault Importing

> > Untrusted files should never be imported into the vault. In addition to the networking restriction in point 2, this means not [copying](/wiki/VmTools/QvmCopyToVm) untrusted files to the vault. Whether any given file is "untrusted" is an individual user decision, but we recommend that users never copy from a less trusted domain to a more trusted domain. At present, this means that there is no secure way to sign other people's keys with the master key.

Tutorials and Discussions
-------------------------

(Note: Although some of the tutorials below were not written with Qubes in mind, they can be adapted to Qubes with a few adjustments. As always, exercise caution and use your good judgment.)

-   ["OpenPGP in Qubes OS" on the qubes-users mailing list](https://groups.google.com/d/topic/qubes-users/Kwfuern-R2U/discussion)
-   ["Creating the Perfect GPG Keypair" by Alex Cabal](https://alexcabal.com/creating-the-perfect-gpg-keypair/)
-   ["GPG Offline Master Key w/ smartcard" maintained by Abel Luck](https://gist.github.com/abeluck/3383449)
    -   Author's note: "It is not Qubes OS specific, and in fact assumes you want to use a smartcard, which might not be the case, so skip those bits. Also, use your vault vm instead of booting into an offline livecd as described."
-   ["Using GnuPG with QubesOS" by Alex](https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/)
-												UserDoc/OpenPGP changed

											
										
										
											2013-10-04 00:14:25 +00:00
+								---
-												wiki -> doc migration

											
										
										
											2015-04-10 20:17:45 +00:00
+								layout: doc
-												UserDoc/OpenPGP changed

											
										
										
											2013-10-04 00:14:25 +00:00
+								title: OpenPGP
-												Change URIs from CamelCase to lowercase-hyphen-separated

											
										
										
											2015-10-11 07:04:59 +00:00
+								permalink: /en/doc/open-pgp/
-												Fix redirects

											
										
										
											2015-09-22 09:02:22 +00:00
+								redirect_from:
-												Change URIs from CamelCase to lowercase-hyphen-separated

											
										
										
											2015-10-11 07:04:59 +00:00
+								- /doc/OpenPGP/
-												Fix redirects

											
										
										
											2015-09-22 09:02:22 +00:00
+								- "/doc/UserDoc/OpenPGP/"
 								- "/wiki/UserDoc/OpenPGP/"
-												UserDoc/OpenPGP changed

											
										
										
											2013-10-04 00:14:25 +00:00
+								---
-												Update page titles from CamelCase to lowercase-hyphen-separated
(closes QubesOS/qubes-issues#1205)

											
										
										
											2015-10-14 03:31:03 +00:00
+								**Note 2014-08-03: This page is deprecated by [SplitGpg](/en/doc/split-gpg/). The content of this page has been integrated into that page.**
-												UserDoc/OpenPGP changed

Added SplitGpg deprecation note

											
										
										
											2014-08-03 05:23:43 +00:00
-												UserDoc/OpenPGP changed

											
										
										
											2013-10-04 00:14:25 +00:00
+								Using OpenPGP in Qubes
 								======================
 								One of the main advantages of Qubes is that it allows the user to isolate sensitive data in network-disconnected VMs. This is particularly useful in the case of securing secret keys. Work on split GPG is currently ongoing (\#474), but it's still possible to set up a very secure system right now.
 								Basic Instructions
 								------------------
-												UserDoc/OpenPGP changed

											
										
										
											2013-10-04 00:25:44 +00:00
+								The basic procedure is to create a master keypair and any number of signing/encryption subkeys in your ultimately trusted "vault" domain. The secret portion of the master keypair should never leave your vault. The public portion of the master key, along with the subkeys, can then be [copied](/wiki/VmTools/QvmCopyToVm) to any number of less trusted domains, e.g. "work," where they will be used normally. If your work domain is ever compromised (and your subkeys along with it), your master key will still be safe, and you can issue new subkeys. For detailed instructions, see the [tutorials and discussions](/wiki/UserDoc/OpenPGP#TutorialsandDiscussions) below.
-												UserDoc/OpenPGP changed

											
										
										
											2013-10-04 00:14:25 +00:00
 								Security Recommendations
 								------------------------
 								(Note: Here "vault" refers to whichever domain you have chosen to house the secret portion of your master keypair.)
 .  Key Isolation
 								> > All keys should be created in the vault, and the secret portion of the master keypair should never leave it.
 .  No Vault Networking
 								> > The vault should not be connected to a network (NetVM: none).
 .  No Vault Importing
 								> > Untrusted files should never be imported into the vault. In addition to the networking restriction in point 2, this means not [copying](/wiki/VmTools/QvmCopyToVm) untrusted files to the vault. Whether any given file is "untrusted" is an individual user decision, but we recommend that users never copy from a less trusted domain to a more trusted domain. At present, this means that there is no secure way to sign other people's keys with the master key.
 								Tutorials and Discussions
 								-------------------------
 								(Note: Although some of the tutorials below were not written with Qubes in mind, they can be adapted to Qubes with a few adjustments. As always, exercise caution and use your good judgment.)
 								-   ["OpenPGP in Qubes OS" on the qubes-users mailing list](https://groups.google.com/d/topic/qubes-users/Kwfuern-R2U/discussion)
 								-   ["Creating the Perfect GPG Keypair" by Alex Cabal](https://alexcabal.com/creating-the-perfect-gpg-keypair/)
 								-   ["GPG Offline Master Key w/ smartcard" maintained by Abel Luck](https://gist.github.com/abeluck/3383449)
 								    -   Author's note: "It is not Qubes OS specific, and in fact assumes you want to use a smartcard, which might not be the case, so skip those bits. Also, use your vault vm instead of booting into an offline livecd as described."
 								-   ["Using GnuPG with QubesOS" by Alex](https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/)