From 5c41089a0019b1167e6ec945f22dda6aea484e94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Tue, 29 Sep 2020 10:47:29 +0200 Subject: [PATCH 1/8] splitgpg: add Thunderbird 78+ doc --- user/security-in-qubes/split-gpg.md | 38 ++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index 9766bec5..cf81239f 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -131,7 +131,42 @@ You may also edit the qrexec policy file for Split GPG in order to tell Qubes yo Note that, because this makes it easier to accept Split GPG's qrexec authorization prompts, it may decrease security if the user is not careful in reviewing presented prompts. This may also be inadvisable if there are multiple AppVMs with Split GPG set up. -## Using Thunderbird + Enigmail with Split GPG ## +## Using Thunderbird ## + +### Built-in PGP feature (Thunderbird >= 78) + +In `work-email`, use the Thunderbird config editor (found at the bottom of preferences/options), and search for `mail.openpgp.allow_external_gnupg`. Switch the value to true. Still in config editor, search for `mail.openpgp.alternative_gpg_path`. Set its value to `/usr/bin/qubes-gpg-client-wrapper`. Restart Thunderbird after this change. + +Open the Account Settings and open the End-to-End Encryption tab of the respective email account. Click the "Add Key" button. You'll be offered the choice "Use your external key through GnuPG". Select it and click Continue. + +You need to obtain your key ID which should be **exactly 16 characters**. For that in `work-gpg`, enter the command `gpg -K --keyid-format long`: + +``` +[user@work-gpg ~]$ gpg -K --keyid-format long +/home/user/.gnupg/pubring.kbx +----------------------------- +sec rsa2048/777402E6D301615C 2020-09-05 [SC] [expires: 2022-09-05] + F7D2D4E922DFB7B2589AF3E9777402E6D301615C +uid [ultimate] Qubes test +ssb rsa2048/370CE932085BA13B 2020-09-05 [E] [expires: 2022-09-05] +``` + +The key ID reference you would need here is `777402E6D301615C`. Now paste or type the ID of the secret key that you would like to use. Be careful to enter it correctly, because your input isn't verified. Confirm to save this key ID. + +This key ID will be used to digitally sign or send an encrypted message with your account. For this to work, Thunderbird needs a copy of your public key. At this time, Thunderbird doesn't fetch the public key from `/usr/bin/qubes-gpg-client-wrapper`, you must manually import it. In `work-gpg`, export the key as follow (assuming the key ID would be `777402E6D301615C`): + +``` +[user@work-gpg ~]$ gpg --armor --export 777402E6D301615C > 777402E6D301615C.asc +[user@work-gpg ~]$ qvm-move 777402E6D301615C.asc +``` + +Select `work-email` as target in dom0/GuiVM popup and accept. In `work-email`, use Thunderbird's Tools menu to open OpenPGP Key Management. In that window, use the File menu to access the Import Public Key command. Open the file with your public key. After the import was successfull, you must open the key details, and you must mark your own key as **accepted**. + +Once this is done, you should be able to send an encrypted and signed email. You can try it by sending an email to yourself. + +For more details about using Smartcards/Split GPG with Thunderbird PGP feature, please see [Thunderbird:OpenPGP:Smartcards] from which the above documentation is inspired. + +### Enigmail with Split GPG (Thunderbird < 78) It is recommended to set up and use `/usr/bin/qubes-gpg-client-wrapper`, as discussed above, in Thunderbird through the Enigmail addon. @@ -337,4 +372,5 @@ As always, exercise caution and use your good judgment.) [apapadop]: https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/ [current-limitations]: #current-limitations [RPC Policy]: /doc/rpc-policy/ +[Thunderbird:OpenPGP:Smartcards]: https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards From 3d0fe68f89581cc057542ea72cd4499910dc9b12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Tue, 29 Sep 2020 11:04:11 +0200 Subject: [PATCH 2/8] splitgpg: update Debian/Fedora versions --- user/security-in-qubes/split-gpg.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index cf81239f..b105e61e 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -50,11 +50,11 @@ Make sure you have the `qubes-gpg-split` package installed in the template you w For Debian or Whonix: - [user@debian-8 ~]$ sudo apt install qubes-gpg-split + [user@debian-10 ~]$ sudo apt install qubes-gpg-split For Fedora: - [user@fedora-25 ~]$ sudo dnf install qubes-gpg-split + [user@fedora-32 ~]$ sudo dnf install qubes-gpg-split ### Setting up the GPG backend domain ### From 9b78aac0121e0f614d67ce5928ddd99c82549fac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Tue, 29 Sep 2020 11:06:32 +0200 Subject: [PATCH 3/8] splitgpg: replace work by work-email This is to be consistent with illustration --- user/security-in-qubes/split-gpg.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index b105e61e..859a9ba7 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -92,9 +92,9 @@ Please be aware of the caveat regarding passphrase-protected keys in the [Curren Normally it should be enough to set the `QUBES_GPG_DOMAIN` to the GPG backend domain name and use `qubes-gpg-client` in place of `gpg`, e.g.: - [user@work ~]$ export QUBES_GPG_DOMAIN=work-gpg - [user@work ~]$ gpg -K - [user@work ~]$ qubes-gpg-client -K + [user@work-email ~]$ export QUBES_GPG_DOMAIN=work-gpg + [user@work-email ~]$ gpg -K + [user@work-email ~]$ qubes-gpg-client -K /home/user/.gnupg/secring.gpg ----------------------------- sec 4096R/3F48CB21 2012-11-15 @@ -102,7 +102,7 @@ Normally it should be enough to set the `QUBES_GPG_DOMAIN` to the GPG backend do ssb 4096R/30498E2A 2012-11-15 (...) - [user@work ~]$ qubes-gpg-client secret_message.txt.asc + [user@work-email ~]$ qubes-gpg-client secret_message.txt.asc (...) Note that running normal `gpg -K` in the demo above shows no private keys stored in this AppVM. @@ -116,8 +116,8 @@ If you encounter trouble while trying to set up Split GPG, make sure you're usin The `qubes-gpg-client-wrapper` script sets the `QUBES_GPG_DOMAIN` variable automatically based on the content of the file `/rw/config/gpg-split-domain`, which should be set to the name of the GPG backend VM. This file survives the AppVM reboot, of course. - [user@work ~]$ sudo bash - [root@work ~]$ echo "work-gpg" > /rw/config/gpg-split-domain + [user@work-email ~]$ sudo bash + [root@work-email ~]$ echo "work-gpg" > /rw/config/gpg-split-domain Split GPG's default qrexec policy requires the user to enter the name of the AppVM containing GPG keys on each invocation. To improve usability for applications like Thunderbird with Enigmail, in `dom0` place the following line at the top of the file `/etc/qubes-rpc/policy/qubes.Gpg`: @@ -170,7 +170,7 @@ For more details about using Smartcards/Split GPG with Thunderbird PGP feature, It is recommended to set up and use `/usr/bin/qubes-gpg-client-wrapper`, as discussed above, in Thunderbird through the Enigmail addon. -**Warning:** Before adding any account, configuring Enigmail with `/usr/bin/qubes-gpg-client-wrapper` is **required**. By default, Enigmail will generate a default GPG key in `work` associated with the newly created Thunderbird account. Generally, it corresponds to the email used in `work-gpg` associated to your private key. In consequence, a new, separate private key will be stored in `work` but it _does not_ correspond to your private key in `work-gpg`. Comparing the `fingerprint` or `expiration date` will show that they are not the same private key. In order to prevent Enigmail using this default generated local key in `work`, you can safely remove it. +**Warning:** Before adding any account, configuring Enigmail with `/usr/bin/qubes-gpg-client-wrapper` is **required**. By default, Enigmail will generate a default GPG key in `work-email` associated with the newly created Thunderbird account. Generally, it corresponds to the email used in `work-gpg` associated to your private key. In consequence, a new, separate private key will be stored in `work-email` but it _does not_ correspond to your private key in `work-gpg`. Comparing the `fingerprint` or `expiration date` will show that they are not the same private key. In order to prevent Enigmail using this default generated local key in `work-email`, you can safely remove it. On a fresh Enigmail install, your need to change the default `Enigmail Junior Mode`. Go to Thunderbird preferences and then privacy tab. Select `Force using S/MIME and Enigmail`. Then, in the preferences of Enigmail, make it point to `/usr/bin/qubes-gpg-client-wrapper` instead of the standard GnuPG binary: @@ -206,7 +206,7 @@ The most basic `~/.gitconfig` file to with working Split GPG looks something lik Your key id is the public id of your signing key, which can be found by running `qubes-gpg-client -k`. In this instance, the key id is DD160C74. - [user@work ~]$ qubes-gpg-client -k + [user@work-email ~]$ qubes-gpg-client -k /home/user/.gnupg/pubring.kbx ----------------------------- pub rsa4096/DD160C74 2016-04-26 @@ -231,8 +231,8 @@ Now you can use `git stag` to add a signed tag to a commit and `git vtag` to ver Use `qubes-gpg-import-key` in the client AppVM to import the key into the GPG backend VM. - [user@work ~]$ export QUBES_GPG_DOMAIN=work-gpg - [user@work ~]$ qubes-gpg-import-key ~/Downloads/marmarek.asc + [user@work-email ~]$ export QUBES_GPG_DOMAIN=work-gpg + [user@work-email ~]$ qubes-gpg-import-key ~/Downloads/marmarek.asc A safe, unspoofable user consent dialog box is displayed. From a347d9dd1049e9925b028a7def22d15f08921516 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Tue, 29 Sep 2020 07:37:49 -0500 Subject: [PATCH 4/8] Improve Thunderbird section descriptions This is intended to help with accessibility, user comprehension, and slugifying anchor links. --- user/security-in-qubes/split-gpg.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index 859a9ba7..6087043a 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -133,8 +133,9 @@ Note that, because this makes it easier to accept Split GPG's qrexec authorizati ## Using Thunderbird ## -### Built-in PGP feature (Thunderbird >= 78) +### Thunderbird 78 and higher +Starting with version 78, Thunderbird has a built-in PGP feature. In `work-email`, use the Thunderbird config editor (found at the bottom of preferences/options), and search for `mail.openpgp.allow_external_gnupg`. Switch the value to true. Still in config editor, search for `mail.openpgp.alternative_gpg_path`. Set its value to `/usr/bin/qubes-gpg-client-wrapper`. Restart Thunderbird after this change. Open the Account Settings and open the End-to-End Encryption tab of the respective email account. Click the "Add Key" button. You'll be offered the choice "Use your external key through GnuPG". Select it and click Continue. @@ -166,8 +167,9 @@ Once this is done, you should be able to send an encrypted and signed email. You For more details about using Smartcards/Split GPG with Thunderbird PGP feature, please see [Thunderbird:OpenPGP:Smartcards] from which the above documentation is inspired. -### Enigmail with Split GPG (Thunderbird < 78) +### Older Thunderbird versions +For Thunderbird versions below 78, the traditional Enigmail + Split GPG setup is required. It is recommended to set up and use `/usr/bin/qubes-gpg-client-wrapper`, as discussed above, in Thunderbird through the Enigmail addon. **Warning:** Before adding any account, configuring Enigmail with `/usr/bin/qubes-gpg-client-wrapper` is **required**. By default, Enigmail will generate a default GPG key in `work-email` associated with the newly created Thunderbird account. Generally, it corresponds to the email used in `work-gpg` associated to your private key. In consequence, a new, separate private key will be stored in `work-email` but it _does not_ correspond to your private key in `work-gpg`. Comparing the `fingerprint` or `expiration date` will show that they are not the same private key. In order to prevent Enigmail using this default generated local key in `work-email`, you can safely remove it. From 9be0e3570071495d9839ac0a9c6109c42718ccfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Tue, 29 Sep 2020 13:46:38 +0200 Subject: [PATCH 5/8] splitgpg: use qubes-gpg-client-wrapper to get public key --- user/security-in-qubes/split-gpg.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index 6087043a..6270bc46 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -140,10 +140,10 @@ In `work-email`, use the Thunderbird config editor (found at the bottom of prefe Open the Account Settings and open the End-to-End Encryption tab of the respective email account. Click the "Add Key" button. You'll be offered the choice "Use your external key through GnuPG". Select it and click Continue. -You need to obtain your key ID which should be **exactly 16 characters**. For that in `work-gpg`, enter the command `gpg -K --keyid-format long`: +You need to obtain your key ID which should be **exactly 16 characters**. Enter the command `qubes-gpg-client-wrapper -K --keyid-format long`: ``` -[user@work-gpg ~]$ gpg -K --keyid-format long +[user@work-email ~]$ qubes-gpg-client-wrapper -K --keyid-format long /home/user/.gnupg/pubring.kbx ----------------------------- sec rsa2048/777402E6D301615C 2020-09-05 [SC] [expires: 2022-09-05] @@ -154,14 +154,13 @@ ssb rsa2048/370CE932085BA13B 2020-09-05 [E] [expires: 2022-09-05] The key ID reference you would need here is `777402E6D301615C`. Now paste or type the ID of the secret key that you would like to use. Be careful to enter it correctly, because your input isn't verified. Confirm to save this key ID. -This key ID will be used to digitally sign or send an encrypted message with your account. For this to work, Thunderbird needs a copy of your public key. At this time, Thunderbird doesn't fetch the public key from `/usr/bin/qubes-gpg-client-wrapper`, you must manually import it. In `work-gpg`, export the key as follow (assuming the key ID would be `777402E6D301615C`): +This key ID will be used to digitally sign or send an encrypted message with your account. For this to work, Thunderbird needs a copy of your public key. At this time, Thunderbird doesn't fetch the public key from `/usr/bin/qubes-gpg-client-wrapper`, you must manually import it. Export the key as follow (assuming the key ID would be `777402E6D301615C`): ``` -[user@work-gpg ~]$ gpg --armor --export 777402E6D301615C > 777402E6D301615C.asc -[user@work-gpg ~]$ qvm-move 777402E6D301615C.asc +[user@work-email ~]$ qubes-gpg-client-wrapper --armor --export 777402E6D301615C > 777402E6D301615C.asc ``` -Select `work-email` as target in dom0/GuiVM popup and accept. In `work-email`, use Thunderbird's Tools menu to open OpenPGP Key Management. In that window, use the File menu to access the Import Public Key command. Open the file with your public key. After the import was successfull, you must open the key details, and you must mark your own key as **accepted**. +Use Thunderbird's Tools menu to open OpenPGP Key Management. In that window, use the File menu to access the Import Public Key command. Open the file with your public key. After the import was successfull, you must open the key details, and you must mark your own key as **accepted**. Once this is done, you should be able to send an encrypted and signed email. You can try it by sending an email to yourself. From 18140cc67d8dbd0774b61871e823eed6d93269f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Tue, 29 Sep 2020 14:35:47 +0200 Subject: [PATCH 6/8] splitgpg: add screenshots for thunderbird 78+ --- user/security-in-qubes/split-gpg.md | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index 6270bc46..143c5338 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -138,7 +138,9 @@ Note that, because this makes it easier to accept Split GPG's qrexec authorizati Starting with version 78, Thunderbird has a built-in PGP feature. In `work-email`, use the Thunderbird config editor (found at the bottom of preferences/options), and search for `mail.openpgp.allow_external_gnupg`. Switch the value to true. Still in config editor, search for `mail.openpgp.alternative_gpg_path`. Set its value to `/usr/bin/qubes-gpg-client-wrapper`. Restart Thunderbird after this change. -Open the Account Settings and open the End-to-End Encryption tab of the respective email account. Click the "Add Key" button. You'll be offered the choice "Use your external key through GnuPG". Select it and click Continue. +[![tb78-1.png](/attachment/wiki/SplitGpg/tb78-1.png)](/attachment/wiki/SplitGpg/tb78-1.png) +[![tb78-2.png](/attachment/wiki/SplitGpg/tb78-2.png)](/attachment/wiki/SplitGpg/tb78-2.png) +[![tb78-3.png](/attachment/wiki/SplitGpg/tb78-3.png)](/attachment/wiki/SplitGpg/tb78-3.png) You need to obtain your key ID which should be **exactly 16 characters**. Enter the command `qubes-gpg-client-wrapper -K --keyid-format long`: @@ -152,17 +154,30 @@ uid [ultimate] Qubes test ssb rsa2048/370CE932085BA13B 2020-09-05 [E] [expires: 2022-09-05] ``` -The key ID reference you would need here is `777402E6D301615C`. Now paste or type the ID of the secret key that you would like to use. Be careful to enter it correctly, because your input isn't verified. Confirm to save this key ID. - -This key ID will be used to digitally sign or send an encrypted message with your account. For this to work, Thunderbird needs a copy of your public key. At this time, Thunderbird doesn't fetch the public key from `/usr/bin/qubes-gpg-client-wrapper`, you must manually import it. Export the key as follow (assuming the key ID would be `777402E6D301615C`): - ``` [user@work-email ~]$ qubes-gpg-client-wrapper --armor --export 777402E6D301615C > 777402E6D301615C.asc ``` -Use Thunderbird's Tools menu to open OpenPGP Key Management. In that window, use the File menu to access the Import Public Key command. Open the file with your public key. After the import was successfull, you must open the key details, and you must mark your own key as **accepted**. +Open the Account Settings and open the *End-to-End Encryption* tab of the respective email account. Click the *Add Key* button. You'll be offered the choice *Use your external key through GnuPG*. Select it and click Continue. -Once this is done, you should be able to send an encrypted and signed email. You can try it by sending an email to yourself. +[![tb78-4.png](/attachment/wiki/SplitGpg/tb78-4.png)](/attachment/wiki/SplitGpg/tb78-4.png) +[![tb78-5.png](/attachment/wiki/SplitGpg/tb78-5.png)](/attachment/wiki/SplitGpg/tb78-5.png) + +The key ID reference you would need here is `777402E6D301615C`. Now paste or type the ID of the secret key that you would like to use. Be careful to enter it correctly, because your input isn't verified. Confirm to save this key ID. Now you can select the key ID to use. + +[![tb78-6.png](/attachment/wiki/SplitGpg/tb78-6.png)](/attachment/wiki/SplitGpg/tb78-6.png) +[![tb78-7.png](/attachment/wiki/SplitGpg/tb78-7.png)](/attachment/wiki/SplitGpg/tb78-7.png) + +This key ID will be used to digitally sign or send an encrypted message with your account. For this to work, Thunderbird needs a copy of your public key. At this time, Thunderbird doesn't fetch the public key from `/usr/bin/qubes-gpg-client-wrapper`, you must manually import it. Export the key as follow (assuming the key ID would be `777402E6D301615C`): + +[![tb78-8.png](/attachment/wiki/SplitGpg/tb78-8.png)](/attachment/wiki/SplitGpg/tb78-8.png) +[![tb78-9.png](/attachment/wiki/SplitGpg/tb78-9.png)](/attachment/wiki/SplitGpg/tb78-9.png) + +Use Thunderbird's Tools menu to open *OpenPGP Key Management*. In that window, use the File menu to access the *Import Public Key(s) From File* command. Open the file with your public key. After the import was successfull, right click on the imported key in the list and select *Key Properties*. You must mark your own key as *Yes, I've verified in person this key has the correct fingerprint*. + +Once this is done, you should be able to send an encrypted and signed email by selecting *Require Encryption* or *Digitally Sign This Message* in the compose menu *Options* or *Security* toolbar button. You can try it by sending an email to yourself. + +[![tb78-10.png](/attachment/wiki/SplitGpg/tb78-10.png)](/attachment/wiki/SplitGpg/tb78-10.png) For more details about using Smartcards/Split GPG with Thunderbird PGP feature, please see [Thunderbird:OpenPGP:Smartcards] from which the above documentation is inspired. From 715069bdb28b0b75cce16c954cec09e53ad302bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Tue, 29 Sep 2020 15:07:49 +0200 Subject: [PATCH 7/8] splitgpg: make uniform denomination of smart card in the text --- user/security-in-qubes/split-gpg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index 143c5338..7b7b9142 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -179,7 +179,7 @@ Once this is done, you should be able to send an encrypted and signed email by s [![tb78-10.png](/attachment/wiki/SplitGpg/tb78-10.png)](/attachment/wiki/SplitGpg/tb78-10.png) -For more details about using Smartcards/Split GPG with Thunderbird PGP feature, please see [Thunderbird:OpenPGP:Smartcards] from which the above documentation is inspired. +For more details about using smart cards/Split GPG with Thunderbird PGP feature, please see [Thunderbird:OpenPGP:Smartcards] from which the above documentation is inspired. ### Older Thunderbird versions From 9652c264e95e476d15a1ab162c1602d85b85f721 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Tue, 29 Sep 2020 15:12:04 +0200 Subject: [PATCH 8/8] Update travis to bionic --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index c922b5af..fd574b28 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,5 @@ language: ruby -dist: trusty +dist: bionic rvm: - 2.5 install: git clone https://github.com/${TRAVIS_REPO_SLUG%%/*}/qubesos.github.io ~/qubesos.github.io