Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-10-01 01:25:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Improve empty passphrase explanation (#734)

Browse Source 
- Fix grammar and orthography
- Clarify phrasing
- Improve formatting
- Provide links to sections containing security explanations
- Use reference-style links
This commit is contained in:
Andrew David Wong 2018-11-12 04:16:54 -06:00
parent 5e8d990a93
commit 663f96aae3
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
security/split-gpg.md
View File

@ -75,13 +75,15 @@ could start a Disposable VM and have the to-be-signed document displayed
there? To Be Determined. there? To Be Determined.
- The Split GPG client will fail to sign or encrypt if the private key in the - The Split GPG client will fail to sign or encrypt if the private key in the
GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl GnuPG backend is protected by a passphrase. It will give an `Inappropriate ioctl
for device"* error. Avoid setting passphrases for the private keys in the GPG for device` error. Do not set passphrases for the private keys in the GPG
backend domain, it won't provide extra security anyway, as explained before. backend domain. Doing so won't provide any extra security anyway, as explained
If you are generating a new key pair, or if you have a private [above][intro] and [below][using split GPG with subkeys]. If you are generating
key that already has a passphrase and use a new key pair, or if you have a private key that already has a passphrase, you
`gpg2 --edit-key {key_id}` then `passwd`, then pinentry [might show an error when can use `gpg2 --edit-key <key_id>` then `passwd` to set an empty passphrase.
setting an empty passphrase but still make the change](https://unix.stackexchange.com/a/379373). Note that `pinentry` might show an error when you try to set an empty
passphrase, but it will still make the change. (See [this StackExchange
answer][se-pinentry] for more information.)
## Configuring Split GPG ## ## Configuring Split GPG ##
@ -396,6 +398,8 @@ exercise caution and use your good judgment.)
[#474]: https://github.com/QubesOS/qubes-issues/issues/474 [#474]: https://github.com/QubesOS/qubes-issues/issues/474
[using split GPG with subkeys]: #advanced-using-split-gpg-with-subkeys [using split GPG with subkeys]: #advanced-using-split-gpg-with-subkeys
[intro]: #what-is-split-gpg-and-why-should-i-use-it-instead-of-the-standard-gpg
[se-pinentry]: https://unix.stackexchange.com/a/379373
[subkeys]: https://wiki.debian.org/Subkeys [subkeys]: https://wiki.debian.org/Subkeys
[copied]: /doc/copying-files#on-inter-qube-file-copy-security [copied]: /doc/copying-files#on-inter-qube-file-copy-security
[pasted]: /doc/copy-paste#on-copypaste-security [pasted]: /doc/copy-paste#on-copypaste-security