2014-07-24 06:59:44 -04:00
|
|
|
|
---
|
2015-04-10 16:17:45 -04:00
|
|
|
|
layout: doc
|
2015-10-13 23:31:03 -04:00
|
|
|
|
title: Split GPG
|
2015-10-28 18:14:40 -04:00
|
|
|
|
permalink: /doc/split-gpg/
|
2015-09-22 05:02:22 -04:00
|
|
|
|
redirect_from:
|
2015-10-28 18:14:40 -04:00
|
|
|
|
- /en/doc/split-gpg/
|
2015-10-11 03:04:59 -04:00
|
|
|
|
- /doc/SplitGpg/
|
2015-10-28 18:14:40 -04:00
|
|
|
|
- /doc/UserDoc/SplitGpg/
|
|
|
|
|
- /wiki/UserDoc/SplitGpg/
|
2016-03-14 03:32:28 -04:00
|
|
|
|
- /doc/open-pgp/
|
|
|
|
|
- /en/doc/open-pgp/
|
|
|
|
|
- /doc/OpenPGP/
|
|
|
|
|
- /doc/UserDoc/OpenPGP/
|
|
|
|
|
- /wiki/UserDoc/OpenPGP/
|
2014-07-24 06:59:44 -04:00
|
|
|
|
---
|
|
|
|
|
|
2018-07-10 20:30:38 -04:00
|
|
|
|
# Qubes Split GPG #
|
|
|
|
|
|
|
|
|
|
## What is Split GPG and why should I use it instead of the standard GPG? ##
|
2014-07-24 06:59:44 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
Split GPG implements a concept similar to having a smart card with your
|
|
|
|
|
private GPG keys, except that the role of the "smart card" plays another Qubes
|
|
|
|
|
AppVM. This way one, not-so-trusted domain, e.g. the one where Thunderbird is
|
|
|
|
|
running, can delegate all crypto operations, such as encryption/decryption
|
|
|
|
|
and signing to another, more trusted, network-isolated, domain. This way
|
2016-03-14 04:06:44 -04:00
|
|
|
|
the compromise of your domain where Thunderbird or another client app is
|
2015-09-22 14:00:52 -04:00
|
|
|
|
running -- arguably a not-so-unthinkable scenario -- does not allow the
|
2016-03-14 04:06:44 -04:00
|
|
|
|
attacker to automatically also steal all your keys. (We should make a rather
|
2015-09-22 14:00:52 -04:00
|
|
|
|
obvious comment here that the so-often-used passphrases on private keys are
|
|
|
|
|
pretty meaningless because the attacker can easily set up a simple backdoor
|
2016-03-14 04:06:44 -04:00
|
|
|
|
which would wait until the user enters the passphrase and steal the key then.)
|
2014-07-24 06:59:44 -04:00
|
|
|
|
|
2014-07-24 11:25:52 -04:00
|
|
|
|
The diagram below presents the big picture of Split GPG architecture.
|
|
|
|
|
|
2015-09-22 12:26:25 -04:00
|
|
|
|
![split-gpg-diagram.png](/attachment/wiki/SplitGpg/split-gpg-diagram.png)
|
2014-07-24 11:25:52 -04:00
|
|
|
|
|
2015-09-22 13:29:54 -04:00
|
|
|
|
### Advantages of Split GPG vs. traditional GPG with a smart card ###
|
2014-07-24 11:25:52 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
It is often thought that the use of smart cards for private key storage
|
|
|
|
|
guarantees ultimate safety. While this might be true (unless the attacker
|
|
|
|
|
can find a usually-very-expensive-and-requiring-physical-presence way to
|
|
|
|
|
extract the key from the smart card) but only with regards to the safety of
|
|
|
|
|
the private key itself. However, there is usually nothing that could stop
|
|
|
|
|
the attacker from requesting the smart card to perform decryption of all the
|
|
|
|
|
user documents the attacker has found or need to decrypt. In other words,
|
|
|
|
|
while protecting the user's private key is an important task, we should not
|
|
|
|
|
forget that ultimately it is the user data that are to be protected and that
|
|
|
|
|
the smart card chip has no way of knowing the requests to decrypt documents
|
|
|
|
|
are now coming from the attacker's script and not from the user sitting in
|
|
|
|
|
front of the monitor. (Similarly the smart card doesn't make the process
|
|
|
|
|
of digitally signing a document or a transaction in any way more secure --
|
|
|
|
|
the user cannot know what the chip is really signing. Unfortunately this
|
|
|
|
|
problem of signing reliability is not solvable by Split GPG)
|
|
|
|
|
|
|
|
|
|
With Qubes Split GPG this problem is drastically minimized, because each time
|
|
|
|
|
the key is to be used the user is asked for consent (with a definable time
|
|
|
|
|
out, 5 minutes by default), plus is always notified each time the key is used
|
|
|
|
|
via a tray notification from the domain where GPG backend is running. This
|
|
|
|
|
way it would be easy to spot unexpected requests to decrypt documents.
|
2014-07-24 11:25:52 -04:00
|
|
|
|
|
2015-09-22 13:29:54 -04:00
|
|
|
|
![r2-split-gpg-1.png](/attachment/wiki/SplitGpg/r2-split-gpg-1.png)
|
|
|
|
|
![r2-split-gpg-3.png](/attachment/wiki/SplitGpg/r2-split-gpg-3.png)
|
2014-07-24 06:59:44 -04:00
|
|
|
|
|
2015-09-22 13:29:54 -04:00
|
|
|
|
### Current limitations ###
|
2014-07-24 06:59:44 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
- Current implementation requires importing of public keys to the vault
|
|
|
|
|
domain. This opens up an avenue to attack the gpg running in the backend domain
|
2016-03-14 04:06:44 -04:00
|
|
|
|
via a hypothetical bug in public key importing code. See ticket [#474] for more
|
2015-09-22 14:00:52 -04:00
|
|
|
|
details and plans how to get around this problem, as well as the section on
|
2016-03-14 04:06:44 -04:00
|
|
|
|
[using split GPG with subkeys] below.
|
2014-07-24 11:25:52 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
- It doesn't solve the problem of allowing the user to know what is to be
|
|
|
|
|
signed before the operation gets approved. Perhaps the GPG backend domain
|
2018-12-08 22:20:41 -05:00
|
|
|
|
could start a DisposableVM and have the to-be-signed document displayed
|
2015-09-22 14:00:52 -04:00
|
|
|
|
there? To Be Determined.
|
|
|
|
|
|
2018-11-12 02:15:42 -05:00
|
|
|
|
- The Split GPG client will fail to sign or encrypt if the private key in the
|
2018-11-12 05:16:54 -05:00
|
|
|
|
GnuPG backend is protected by a passphrase. It will give an `Inappropriate ioctl
|
|
|
|
|
for device` error. Do not set passphrases for the private keys in the GPG
|
|
|
|
|
backend domain. Doing so won't provide any extra security anyway, as explained
|
|
|
|
|
[above][intro] and [below][using split GPG with subkeys]. If you are generating
|
|
|
|
|
a new key pair, or if you have a private key that already has a passphrase, you
|
|
|
|
|
can use `gpg2 --edit-key <key_id>` then `passwd` to set an empty passphrase.
|
|
|
|
|
Note that `pinentry` might show an error when you try to set an empty
|
|
|
|
|
passphrase, but it will still make the change. (See [this StackExchange
|
|
|
|
|
answer][se-pinentry] for more information.)
|
2014-10-06 12:14:22 -04:00
|
|
|
|
|
2018-07-10 20:30:38 -04:00
|
|
|
|
## Configuring Split GPG ##
|
2015-12-09 20:39:47 -05:00
|
|
|
|
|
|
|
|
|
In dom0, make sure the `qubes-gpg-split-dom0` package is installed.
|
|
|
|
|
|
2017-01-26 17:42:49 -05:00
|
|
|
|
[user@dom0 ~]$ sudo qubes-dom0-update qubes-gpg-split-dom0
|
2015-12-09 20:39:47 -05:00
|
|
|
|
|
2017-01-26 17:42:49 -05:00
|
|
|
|
If using templates based on Debian or Whonix, make sure you have the `qubes-gpg-split`
|
2015-12-09 20:39:47 -05:00
|
|
|
|
package installed.
|
|
|
|
|
|
2018-02-02 08:40:40 -05:00
|
|
|
|
[user@debian-8 ~]$ sudo apt install qubes-gpg-split
|
2015-12-09 20:39:47 -05:00
|
|
|
|
|
|
|
|
|
For Fedora.
|
|
|
|
|
|
2018-02-02 08:40:40 -05:00
|
|
|
|
[user@fedora-25 ~]$ sudo dnf install qubes-gpg-split
|
2015-12-09 20:39:47 -05:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
Start with creating a dedicated AppVM for storing your keys (the GPG backend
|
|
|
|
|
domain). It is recommended that this domain be network disconnected (set its
|
|
|
|
|
netvm to `none`) and only used for this one purpose. In later examples this
|
|
|
|
|
AppVM is named `work-gpg`, but of course it might have any other name.
|
2014-07-24 06:59:44 -04:00
|
|
|
|
|
2015-09-22 13:29:54 -04:00
|
|
|
|
### Setting up the GPG backend domain ###
|
2014-07-24 12:25:32 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
Make sure the gpg is installed there and there are some private keys in the
|
|
|
|
|
keyring, e.g.:
|
2014-07-24 12:25:32 -04:00
|
|
|
|
|
2015-09-22 13:29:54 -04:00
|
|
|
|
[user@work-gpg ~]$ gpg -K
|
|
|
|
|
/home/user/.gnupg/secring.gpg
|
|
|
|
|
-----------------------------
|
|
|
|
|
sec 4096R/3F48CB21 2012-11-15
|
|
|
|
|
uid Qubes OS Security Team <security@qubes-os.org>
|
|
|
|
|
ssb 4096R/30498E2A 2012-11-15
|
|
|
|
|
(...)
|
2014-07-24 12:25:32 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
This is pretty much all that is required. However one might also want to modify
|
|
|
|
|
the default timeout which tells the backend for how long the user's approval
|
|
|
|
|
for key access should be valid (default 5 minutes). This is adjustable via
|
|
|
|
|
`QUBES_GPG_AUTOACCEPT` variable. One can override it e.g. in `~/.bash_profile`:
|
2014-07-24 12:25:32 -04:00
|
|
|
|
|
2015-09-22 13:29:54 -04:00
|
|
|
|
[user@work-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=86400" >> ~/.bash_profile
|
2014-07-24 12:25:32 -04:00
|
|
|
|
|
2018-10-20 15:28:29 -04:00
|
|
|
|
Please be aware of the caveat regarding passphrase-protected keys in the
|
|
|
|
|
[Current limitations][current-limitations] section.
|
|
|
|
|
|
2015-12-09 20:24:05 -05:00
|
|
|
|
### Configuring the client apps to use Split GPG backend ###
|
2014-07-24 12:25:32 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
Normally it should be enough to set the `QUBES_GPG_DOMAIN` to the GPG backend
|
|
|
|
|
domain name and use `qubes-gpg-client` in place of `gpg`, e.g.:
|
2014-07-24 12:25:32 -04:00
|
|
|
|
|
2015-09-22 13:29:54 -04:00
|
|
|
|
[user@work ~]$ export QUBES_GPG_DOMAIN=work-gpg
|
|
|
|
|
[user@work ~]$ gpg -K
|
|
|
|
|
[user@work ~]$ qubes-gpg-client -K
|
|
|
|
|
/home/user/.gnupg/secring.gpg
|
|
|
|
|
-----------------------------
|
|
|
|
|
sec 4096R/3F48CB21 2012-11-15
|
|
|
|
|
uid Qubes OS Security Team <security@qubes-os.org>
|
|
|
|
|
ssb 4096R/30498E2A 2012-11-15
|
|
|
|
|
(...)
|
|
|
|
|
|
|
|
|
|
[user@work ~]$ qubes-gpg-client secret_message.txt.asc
|
|
|
|
|
(...)
|
2014-07-24 12:25:32 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
Note that running normal `gpg -K` in the demo above shows no private keys
|
|
|
|
|
stored in this AppVM.
|
2014-07-24 12:42:46 -04:00
|
|
|
|
|
2016-03-14 04:06:44 -04:00
|
|
|
|
A note on `gpg` and `gpg2`:
|
|
|
|
|
|
|
|
|
|
Throughout this guide, we refer to `gpg`, but note that Split-GPG uses `gpg2`
|
|
|
|
|
under the hood for compatibility with programs like Enigmail (which now supports
|
|
|
|
|
only `gpg2`). If you encounter trouble while trying to set up Split-GPG, make
|
|
|
|
|
sure you're using `gpg2` for your configuration and testing, since keyring data
|
|
|
|
|
may differ between the two installations.
|
|
|
|
|
|
2018-12-03 21:04:38 -05:00
|
|
|
|
### Using Thunderbird + Enigmail with Split GPG ###
|
2014-07-30 03:42:19 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
However, when using Thunderbird with Enigmail extension it is
|
|
|
|
|
not enough, because Thunderbird doesn't preserve the environment
|
|
|
|
|
variables. Instead it is recommended to use a simple script provided by
|
|
|
|
|
`/usr/bin/qubes-gpg-client-wrapper` file by pointing Enigmail to use this
|
|
|
|
|
script instead of the standard GnuPG binary:
|
2014-07-24 12:28:02 -04:00
|
|
|
|
|
2015-09-22 12:26:25 -04:00
|
|
|
|
![tb-enigmail-split-gpg-settings-2.png](/attachment/wiki/SplitGpg/tb-enigmail-split-gpg-settings-2.png)
|
2014-07-24 12:28:02 -04:00
|
|
|
|
|
2016-03-14 04:06:44 -04:00
|
|
|
|
The script also sets the `QUBES_GPG_DOMAIN` variable automatically based on
|
2015-09-22 14:00:52 -04:00
|
|
|
|
the content of the file `/rw/config/gpg-split-domain`, which should be set to
|
|
|
|
|
the name of the GPG backend VM. This file survives the AppVM reboot, of course.
|
2014-07-24 12:25:32 -04:00
|
|
|
|
|
2015-09-22 13:29:54 -04:00
|
|
|
|
[user@work ~]$ sudo bash
|
2017-10-09 16:14:05 -04:00
|
|
|
|
[root@work ~]$ echo "work-gpg" > /rw/config/gpg-split-domain
|
2014-07-24 06:59:44 -04:00
|
|
|
|
|
2018-12-03 21:04:38 -05:00
|
|
|
|
#### Qubes 4.0 Specifics ####
|
2018-07-09 09:09:59 -04:00
|
|
|
|
|
|
|
|
|
New qrexec policies in Qubes R4.0 by default require the user to enter the name
|
|
|
|
|
of the domain containing GPG keys each time it is accessed. To improve usability
|
|
|
|
|
for Thunderbird+Enigmail, in `dom0` place the following line at the top of the file
|
|
|
|
|
`/etc/qubes-rpc/policy/qubes.Gpg`:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
work-email work-gpg allow
|
|
|
|
|
```
|
|
|
|
|
where `work-email` is the Thunderbird+Enigmail AppVM and `work-gpg` contains
|
|
|
|
|
your GPG keys.
|
|
|
|
|
|
2016-05-25 03:59:34 -04:00
|
|
|
|
## Using Git with Split GPG ##
|
2016-05-24 17:39:48 -04:00
|
|
|
|
|
|
|
|
|
Git can be configured to used with Split-GPG, something useful if you would
|
|
|
|
|
like to contribute to the Qubes OS Project as every commit is required to be
|
2016-05-25 04:03:27 -04:00
|
|
|
|
signed. The most basic `~/.gitconfig` file to with working Split-GPG looks
|
2016-05-24 17:39:48 -04:00
|
|
|
|
something like this.
|
|
|
|
|
|
|
|
|
|
[user]
|
|
|
|
|
name = YOUR NAME
|
|
|
|
|
email = YOUR EMAIL ADDRESS
|
|
|
|
|
signingkey = YOUR KEY ID
|
|
|
|
|
|
|
|
|
|
[gpg]
|
|
|
|
|
program = qubes-gpg-client-wrapper
|
|
|
|
|
|
|
|
|
|
Your key id is the public id of your signing key, which can be found by running
|
2016-05-25 04:03:27 -04:00
|
|
|
|
`qubes-gpg-client -k`. In this instance, the key id is DD160C74.
|
2016-05-24 17:39:48 -04:00
|
|
|
|
|
|
|
|
|
[user@work ~]$ qubes-gpg-client -k
|
|
|
|
|
/home/user/.gnupg/pubring.kbx
|
|
|
|
|
-----------------------------
|
|
|
|
|
pub rsa4096/DD160C74 2016-04-26
|
|
|
|
|
uid Qubes User
|
|
|
|
|
|
|
|
|
|
To sign commits, you now add the "-S" flag to your commit command, which should
|
|
|
|
|
prompt for Split-GPG usage. If you would like automatically sign all commits,
|
2016-05-25 04:03:27 -04:00
|
|
|
|
you can add the following snippet to `~/.gitconfig`.
|
2016-05-24 17:39:48 -04:00
|
|
|
|
|
|
|
|
|
[commit]
|
|
|
|
|
gpgsign = true
|
|
|
|
|
|
|
|
|
|
Lastly, if you would like to add aliases to sign and verify tags using the
|
|
|
|
|
conventions the Qubes OS Project recommends, you can add the following snippet
|
2016-05-25 04:03:27 -04:00
|
|
|
|
to `~/.gitconfig`.
|
2016-05-24 17:39:48 -04:00
|
|
|
|
|
|
|
|
|
[alias]
|
2016-05-24 20:30:26 -04:00
|
|
|
|
stag = "!id=`git rev-parse --verify HEAD`; git tag -s user_${id:0:8} -m \"Tag for commit $id\""
|
2016-05-24 17:39:48 -04:00
|
|
|
|
vtag = !git tag -v `git describe`
|
|
|
|
|
|
2016-05-24 20:37:44 -04:00
|
|
|
|
Replace `user` with your short, unique nickname. Now you can use `git stag` to
|
|
|
|
|
add a signed tag to a commit and `git vtag` to verify the most recent tag that
|
|
|
|
|
is reachable from a commit.
|
|
|
|
|
|
2016-05-24 17:39:48 -04:00
|
|
|
|
## Importing public keys ###
|
2014-07-24 12:40:04 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
Use `qubes-gpg-import-key` in the client AppVM to import the key into the
|
|
|
|
|
GPG backend VM. Of course a (safe, unspoofable) user consent dialog box is
|
|
|
|
|
displayed to accept this.
|
2014-07-24 12:40:04 -04:00
|
|
|
|
|
2015-09-22 13:29:54 -04:00
|
|
|
|
[user@work ~]$ export QUBES_GPG_DOMAIN=work-gpg
|
|
|
|
|
[user@work ~]$ qubes-gpg-import-key ~/Downloads/marmarek.asc
|
2014-07-24 12:40:04 -04:00
|
|
|
|
|
2015-09-22 12:26:25 -04:00
|
|
|
|
![r2-split-gpg-5.png](/attachment/wiki/SplitGpg/r2-split-gpg-5.png)
|
2014-08-03 00:30:42 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
<br />
|
|
|
|
|
|
2018-01-19 08:21:10 -05:00
|
|
|
|
|
2018-07-10 20:30:38 -04:00
|
|
|
|
## Advanced: Using Split GPG with Subkeys ##
|
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
Users with particularly high security requirements may wish to use Split
|
2016-03-14 04:06:44 -04:00
|
|
|
|
GPG with [subkeys]. However, this setup
|
2015-09-22 14:00:52 -04:00
|
|
|
|
comes at a significant cost: It will be impossible to sign other people's keys
|
|
|
|
|
with the master secret key without breaking this security model. Nonetheless,
|
|
|
|
|
if signing others' keys is not required, then Split GPG with subkeys offers
|
|
|
|
|
unparalleled security for one's master secret key.
|
2014-08-03 00:30:42 -04:00
|
|
|
|
|
2015-09-22 13:29:54 -04:00
|
|
|
|
### Setup Description ###
|
2014-08-03 00:30:42 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
In this example, the following keys are stored in the following locations
|
|
|
|
|
(see below for defintions of these terms):
|
2014-08-03 00:30:42 -04:00
|
|
|
|
|
2015-09-22 13:29:54 -04:00
|
|
|
|
| PGP Key(s) | VM Name |
|
|
|
|
|
| ---------- | ------------ |
|
|
|
|
|
| `sec` | `vault` |
|
|
|
|
|
| `ssb` | `work-gpg` |
|
|
|
|
|
| `pub` | `work-email` |
|
2014-08-03 00:30:42 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
<br />
|
|
|
|
|
|
|
|
|
|
* `sec` (master secret key)
|
|
|
|
|
|
|
|
|
|
Depending on your needs, you may wish to create this as a **certify-only
|
|
|
|
|
(C)** key, i.e., a key which is capable only of signing (a.k.a.,
|
|
|
|
|
"certifying") other keys. This key may be created *without* an expiration
|
|
|
|
|
date. This is for two reasons. First, the master secret key is never to
|
|
|
|
|
leave the `vault` VM, so it is extremely unlikely ever to be obtained by
|
|
|
|
|
an adversary (see below). Second, an adversary who *does* manage to obtain
|
|
|
|
|
the master secret key either possesses the passphrase to unlock the key
|
2016-10-20 19:15:31 -04:00
|
|
|
|
(if one is used) or does not. An adversary who *does* possess the passphrase
|
|
|
|
|
can simply use it to legally extend the expiration date of the key
|
|
|
|
|
(or remove it entirely). An adversary who does *not* possess the passphrase
|
|
|
|
|
cannot use the key at all. In either case, an expiration date provides no
|
|
|
|
|
additional benefit.
|
2015-09-22 14:00:52 -04:00
|
|
|
|
|
|
|
|
|
By the same token, however, having a passphrase on the key is of little
|
|
|
|
|
value. An adversary who is capable of stealing the key from your `vault`
|
|
|
|
|
would almost certainly also be capable of stealing the passphrase as
|
|
|
|
|
you enter it. An adversary who obtains the passphrase can then use it
|
|
|
|
|
in order to change or remove the passphrase from the key. Therefore,
|
|
|
|
|
using a passphrase at all should be considered optional. It is, however,
|
|
|
|
|
recommended that a **revocation certificate** be created and safely stored
|
|
|
|
|
in multiple locations so that the master keypair can be revoked in the
|
|
|
|
|
(exceedingly unlikely) event that it is ever compromised.
|
|
|
|
|
|
|
|
|
|
* `ssb` (secret subkey)
|
|
|
|
|
|
|
|
|
|
Depending on your needs, you may wish to create two different subkeys: one
|
|
|
|
|
for **signing (S)** and one for **encryption (E)**. You may also wish to
|
|
|
|
|
give these subkeys reasonable expiration dates (e.g., one year). Once these
|
|
|
|
|
keys expire, it is up to you whether to *renew* these keys by extending the
|
|
|
|
|
expiration dates or to create *new* subkeys when the existing set expires.
|
|
|
|
|
|
|
|
|
|
On the one hand, an adversary who obtains any existing encryption subkey
|
|
|
|
|
(for example) will be able to use it in order to decrypt all emails (for
|
|
|
|
|
example) which were encrypted to that subkey. If the same subkey were to
|
|
|
|
|
continue to be used--and its expiration date continually extended--only
|
|
|
|
|
that one key would need to be stolen (e.g., as a result of the `work-gpg`
|
|
|
|
|
VM being compromised; see below) in order to decrypt *all* of the user's
|
|
|
|
|
emails. If, on the other hand, each encryption subkey is used for at most
|
|
|
|
|
approximately one year, then an adversary who obtains the secret subkey will
|
|
|
|
|
be capable of decrypting at most approximately one year's worth of emails.
|
|
|
|
|
|
|
|
|
|
On the other hand, creating a new signing subkey each year without
|
|
|
|
|
renewing (i.e., extending the expiration dates of) existing signing
|
|
|
|
|
subkeys would mean that all of your old signatures would eventually
|
|
|
|
|
read as "EXPIRED" whenever someone attempts to verify them. This can be
|
|
|
|
|
problematic, since there is no consensus on how expired signatures should
|
|
|
|
|
be handled. Generally, digital signatures are intended to last forever,
|
|
|
|
|
so this is a strong reason against regularly retiring one's signing subkeys.
|
|
|
|
|
|
|
|
|
|
* `pub` (public key)
|
|
|
|
|
|
|
|
|
|
This is the complement of the master secret key. It can be uploaded to
|
|
|
|
|
keyservers (or otherwise publicly distributed) and may be signed by others.
|
|
|
|
|
|
|
|
|
|
* `vault`
|
|
|
|
|
|
2016-03-14 04:12:54 -04:00
|
|
|
|
This is a network-isolated VM. The initial master keypair and subkeys are
|
|
|
|
|
generated in this VM. The master secret key *never* leaves this VM under
|
|
|
|
|
*any* circumstances. No files or text is *ever* [copied] or [pasted] into
|
|
|
|
|
this VM under *any* circumstances.
|
2015-09-22 14:00:52 -04:00
|
|
|
|
|
|
|
|
|
* `work-gpg`
|
|
|
|
|
|
2016-03-14 04:12:54 -04:00
|
|
|
|
This is a network-isolated VM. This VM is used *only* as the GPG backend for
|
|
|
|
|
`work-email`. The secret subkeys (but *not* the master secret key) are
|
|
|
|
|
[copied] from the `vault` VM to this VM. Files from less trusted VMs are
|
|
|
|
|
*never* [copied] into this VM under *any* circumstances.
|
2015-09-22 14:00:52 -04:00
|
|
|
|
|
|
|
|
|
* `work-email`
|
|
|
|
|
|
|
|
|
|
This VM has access to the mail server. It accesses the `work-gpg` VM via
|
|
|
|
|
the Split GPG protocol. The public key may be stored in this VM so that
|
|
|
|
|
it can be attached to emails and for other such purposes.
|
2014-08-03 06:15:09 -04:00
|
|
|
|
|
2015-09-22 13:29:54 -04:00
|
|
|
|
### Security Benefits ###
|
2014-08-03 00:30:42 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
In the standard Split GPG setup, there are at least two ways in
|
|
|
|
|
which the `work-gpg` VM might be compromised. First, an attacker
|
|
|
|
|
who is capable of exploiting a hypothetical bug in `work-email`'s
|
2016-03-14 04:06:44 -04:00
|
|
|
|
[MUA] could gain control of
|
2015-09-22 14:00:52 -04:00
|
|
|
|
the `work-email` VM and send a malformed request which exploits a hypothetical
|
|
|
|
|
bug in the GPG backend (running in the `work-gpg` VM), giving the attacker
|
|
|
|
|
control of the `work-gpg` VM. Second, a malicious public key file which is
|
|
|
|
|
imported into the `work-gpg` VM might exploit a hypothetical bug in the GPG
|
|
|
|
|
backend which is running there, again giving the attacker control of the
|
|
|
|
|
`work-gpg` VM. In either case, such an attacker might then be able to leak
|
|
|
|
|
both the master secret key and its passphrase (if any is used, it would
|
|
|
|
|
regularly be input in the work-gpg VM and therefore easily obtained by an
|
|
|
|
|
attacker who controls this VM) back to the `work-email` VM or to another VM
|
|
|
|
|
(e.g., the `netvm`, which is always untrusted by default) via the Split GPG
|
2016-03-14 04:06:44 -04:00
|
|
|
|
protocol or other [covert channels]. Once the master secret
|
2015-09-22 14:00:52 -04:00
|
|
|
|
key is in the `work-email` VM, the attacker could simply email it to himself
|
|
|
|
|
(or to the world).
|
|
|
|
|
|
|
|
|
|
In the alternative setup described in this section (i.e., the subkey
|
|
|
|
|
setup), even an attacker who manages to gain access to the `work-gpg` VM
|
|
|
|
|
will not be able to obtain the user's master secret key since it is simply
|
|
|
|
|
not there. Rather, the master secret key remains in the `vault` VM, which
|
|
|
|
|
is extremely unlikely to be compromised, since nothing is ever copied or
|
|
|
|
|
transferred into it.<sup>\*</sup> The attacker might nonetheless be able to
|
|
|
|
|
leak the secret subkeys from the `work-gpg` VM in the manner described above,
|
|
|
|
|
but even if this is successful, the secure master secret key can simply be
|
|
|
|
|
used to revoke the compromised subkeys and to issue new subkeys in their
|
|
|
|
|
place. (This is significantly less devastating than having to create a new
|
|
|
|
|
*master* keypair.)
|
|
|
|
|
|
|
|
|
|
<sup>\*</sup>In order to gain access to the `vault` VM, the attacker
|
|
|
|
|
would require the use of, e.g., a general Xen VM escape exploit
|
|
|
|
|
or a [signed, compromised package which is already installed in the
|
2016-03-14 04:06:44 -04:00
|
|
|
|
TemplateVM][trusting-templates]
|
2015-09-22 14:00:52 -04:00
|
|
|
|
upon which the `vault` VM is based.
|
2015-09-22 13:29:54 -04:00
|
|
|
|
|
|
|
|
|
### Subkey Tutorials and Discussions ###
|
2014-08-03 00:30:42 -04:00
|
|
|
|
|
2015-09-22 14:00:52 -04:00
|
|
|
|
(Note: Although the tutorials below were not written with Qubes Split GPG
|
|
|
|
|
in mind, they can be adapted with a few commonsense adjustments. As always,
|
|
|
|
|
exercise caution and use your good judgment.)
|
2014-08-03 00:30:42 -04:00
|
|
|
|
|
2016-03-14 04:06:44 -04:00
|
|
|
|
- ["OpenPGP in Qubes OS" on the qubes-users mailing list][openpgp-in-qubes-os]
|
|
|
|
|
- ["Creating the Perfect GPG Keypair" by Alex Cabal][cabal]
|
|
|
|
|
- ["GPG Offline Master Key w/ smartcard" maintained by Abel Luck][luck]
|
|
|
|
|
- ["Using GnuPG with QubesOS" by Alex][apapadop]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[#474]: https://github.com/QubesOS/qubes-issues/issues/474
|
|
|
|
|
[using split GPG with subkeys]: #advanced-using-split-gpg-with-subkeys
|
2018-11-12 05:16:54 -05:00
|
|
|
|
[intro]: #what-is-split-gpg-and-why-should-i-use-it-instead-of-the-standard-gpg
|
|
|
|
|
[se-pinentry]: https://unix.stackexchange.com/a/379373
|
2016-03-14 04:06:44 -04:00
|
|
|
|
[subkeys]: https://wiki.debian.org/Subkeys
|
2016-09-24 19:25:34 -04:00
|
|
|
|
[copied]: /doc/copying-files#on-inter-qube-file-copy-security
|
2016-03-14 04:06:44 -04:00
|
|
|
|
[pasted]: /doc/copy-paste#on-copypaste-security
|
|
|
|
|
[MUA]: https://en.wikipedia.org/wiki/Mail_user_agent
|
|
|
|
|
[covert channels]: /doc/data-leaks
|
2016-11-30 23:22:05 -05:00
|
|
|
|
[trusting-templates]: /doc/software-update-vm/#notes-on-trusting-your-templatevms
|
2016-03-14 04:06:44 -04:00
|
|
|
|
[openpgp-in-qubes-os]: https://groups.google.com/d/topic/qubes-users/Kwfuern-R2U/discussion
|
|
|
|
|
[cabal]: https://alexcabal.com/creating-the-perfect-gpg-keypair/
|
|
|
|
|
[luck]: https://gist.github.com/abeluck/3383449
|
|
|
|
|
[apapadop]: https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/
|
2018-10-20 15:28:29 -04:00
|
|
|
|
[current-limitations]: #current-limitations
|
2014-08-03 00:30:42 -04:00
|
|
|
|
|