Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-02-04 17:05:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'gasull-patch-5'

Browse Source
This commit is contained in:
Andrew David Wong 2018-11-12 04:19:37 -06:00
commit 0907ce5f4d
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
security/split-gpg.md
View File

@ -74,14 +74,16 @@ signed before the operation gets approved. Perhaps the GPG backend domain
could start a Disposable VM and have the to-be-signed document displayed could start a Disposable VM and have the to-be-signed document displayed
there? To Be Determined. there? To Be Determined.
- The Split GPG client will fail to sign or encrypt if the private key in the - The Split GPG client will fail to sign or encrypt if the private key in the
GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl GnuPG backend is protected by a passphrase. It will give an `Inappropriate ioctl
for device"* error. Avoid setting passphrases for the private keys in the GPG for device` error. Do not set passphrases for the private keys in the GPG
backend domain, it won't provide extra security anyway, as explained before. If backend domain. Doing so won't provide any extra security anyway, as explained
you have a private key that already has a passphrase set use [above][intro] and [below][using split GPG with subkeys]. If you are generating
`gpg2 --edit-key {key_id}`, then `passwd` to set an empty passphrase. Be aware a new key pair, or if you have a private key that already has a passphrase, you
that `pinentry-ncurses` doesn't allow setting empty passphrases, so you would need can use `gpg2 --edit-key <key_id>` then `passwd` to set an empty passphrase.
to install `pinentry-gtk` for it to work. Note that `pinentry` might show an error when you try to set an empty
passphrase, but it will still make the change. (See [this StackExchange
answer][se-pinentry] for more information.)
## Configuring Split GPG ## ## Configuring Split GPG ##
@ -396,6 +398,8 @@ exercise caution and use your good judgment.)
[#474]: https://github.com/QubesOS/qubes-issues/issues/474 [#474]: https://github.com/QubesOS/qubes-issues/issues/474
[using split GPG with subkeys]: #advanced-using-split-gpg-with-subkeys [using split GPG with subkeys]: #advanced-using-split-gpg-with-subkeys
[intro]: #what-is-split-gpg-and-why-should-i-use-it-instead-of-the-standard-gpg
[se-pinentry]: https://unix.stackexchange.com/a/379373
[subkeys]: https://wiki.debian.org/Subkeys [subkeys]: https://wiki.debian.org/Subkeys
[copied]: /doc/copying-files#on-inter-qube-file-copy-security [copied]: /doc/copying-files#on-inter-qube-file-copy-security
[pasted]: /doc/copy-paste#on-copypaste-security [pasted]: /doc/copy-paste#on-copypaste-security