Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-02-04 17:05:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

Remove waning about being unusable

Browse Source
This commit is contained in:
Daniel Gonzalez Gasull 2018-11-12 15:15:42 +08:00 committed by GitHub
parent 0512a3807c
commit 66eaafa781
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
security/split-gpg.md
View File

@ -74,18 +74,15 @@ signed before the operation gets approved. Perhaps the GPG backend domain
could start a Disposable VM and have the to-be-signed document displayed
there? To Be Determined.
- **Split GPG is unusable due to the following problem**:
The Split GPG client will fail to sign or encrypt if the private key in the
- The Split GPG client will fail to sign or encrypt if the private key in the
GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl
for device"* error. Avoid setting passphrases for the private keys in the GPG
backend domain, it won't provide extra security anyway, as explained before.
Unfortunately you can't set empty passphrases no matter what `pinentry-*` package
you are using. If you are generating a new key pair, or if you have a private
key that already has a passphrase and use
`gpg2 --edit-key {key_id}`, then `passwd`, then pinentry won't allow setting an
empty passphrase. This is true for any pinentry packages like `pinentry-ncurses`
and `pinentry-gtk` in Fedora, and for `pinentry-curses`, `pinentry-gtk2` and
`pinentry-gnome` in Debian.
`gpg2 --edit-key {key_id}` then `passwd`, then pinentry [might show an error when
setting an empty passphrase but still make the change](https://unix.stackexchange.com/a/379373).
## Configuring Split GPG ##