Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-10-01 01:25:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'patch-5' of https://github.com/gasull/qubes-doc into gasull-patch-5

Browse Source
This commit is contained in:
Andrew David Wong 2018-11-12 04:05:07 -06:00
commit 5e8d990a93
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
security/split-gpg.md
View File

@ -74,14 +74,14 @@ signed before the operation gets approved. Perhaps the GPG backend domain
could start a Disposable VM and have the to-be-signed document displayed
there? To Be Determined.
- The Split GPG client will fail to sign or encrypt if the private key in the
GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl
for device"* error. Avoid setting passphrases for the private keys in the GPG
backend domain, it won't provide extra security anyway, as explained before. If
you have a private key that already has a passphrase set use
`gpg2 --edit-key {key_id}`, then `passwd` to set an empty passphrase. Be aware
that `pinentry-ncurses` doesn't allow setting empty passphrases, so you would need
to install `pinentry-gtk` for it to work.
- The Split GPG client will fail to sign or encrypt if the private key in the
GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl
for device"* error. Avoid setting passphrases for the private keys in the GPG
backend domain, it won't provide extra security anyway, as explained before.
If you are generating a new key pair, or if you have a private
key that already has a passphrase and use
`gpg2 --edit-key {key_id}` then `passwd`, then pinentry [might show an error when
setting an empty passphrase but still make the change](https://unix.stackexchange.com/a/379373).
## Configuring Split GPG ##