Merge branch 'mfc-patch-9'

2025-01-15 09:17:11 -05:00 · 2018-07-10 19:31:01 -05:00 · 2018-07-10 19:31:01 -05:00 · 69a2b35c62
commit 69a2b35c62
parent d5a8c081db 30a16a8685
1 changed files with 23 additions and 22 deletions
--- a/security/split-gpg.md
+++ b/security/split-gpg.md
@ -14,11 +14,10 @@ redirect_from:
 - /wiki/UserDoc/OpenPGP/
 ---

-Qubes Split GPG
-===============
+# Qubes Split GPG #
+
+## What is Split GPG and why should I use it instead of the standard GPG? ##

-What is Split GPG and why should I use it instead of the standard GPG?
----------------------------------------------------------------------
 Split GPG implements a concept similar to having a smart card with your
 private GPG keys, except that the role of the "smart card" plays another Qubes
 AppVM. This way one, not-so-trusted domain, e.g. the one where Thunderbird is
@ -76,8 +75,7 @@ could start a Disposable VM and have the to-be-signed document displayed
 there? To Be Determined.


-Configuring Split GPG
---------------------
+## Configuring Split GPG ##

 In dom0, make sure the `qubes-gpg-split-dom0` package is installed.

@ -146,7 +144,9 @@ only `gpg2`). If you encounter trouble while trying to set up Split-GPG, make
 sure you're using `gpg2` for your configuration and testing, since keyring data
 may differ between the two installations.

-## Using Thunderbird + Enigmail with Split GPG ##
+## Qubes 3.2 Specifics ##
+
+### Using Thunderbird + Enigmail with Split GPG ###

 However, when using Thunderbird with Enigmail extension it is
 not enough, because Thunderbird doesn't preserve the environment
@ -171,6 +171,21 @@ passphrase from your (sub)key(s) in order to get Split-GPG working correctly.
 As mentioned above, we do not believe PGP key passphrases to be significant
 from a security perspective.

+## Qubes 4.0 Specifics ##
+
+### Using Thunderbird + Enigmail with Split GPG ###
+
+New qrexec policies in Qubes R4.0 by default require the user to enter the name 
+of the domain containing GPG keys each time it is accessed.  To improve usability 
+for Thunderbird+Enigmail, in `dom0` place the following line at the top of the file 
+`/etc/qubes-rpc/policy/qubes.Gpg`:
+
+```
+work-email  work-gpg  allow
+```
+where `work-email` is the Thunderbird+Enigmail AppVM and `work-gpg` contains 
+your GPG keys.
+
 ## Using Git with Split GPG ##

 Git can be configured to used with Split-GPG, something useful if you would
@ -227,23 +242,9 @@ displayed to accept this.

 <br />

-Qubes 4.0
---------
-New qrexec policies in Qubes R4.0 by default require the user to enter the name 
-of the domain containing GPG keys each time it is accessed.  To improve usability 
-for Thunderbird+Enigmail, in `dom0` place the following line at the top of the file 
-`/etc/qubes-rpc/policy/qubes.Gpg`:

-```
-work-email  work-gpg  allow
-```
-where `work-email` is the Thunderbird+Enigmail AppVM and `work-gpg` contains 
-your GPG keys.
+## Advanced: Using Split GPG with Subkeys ##

-<br />
-
-Advanced: Using Split GPG with Subkeys
--------------------------------------
 Users with particularly high security requirements may wish to use Split
 GPG with [subkeys]. However, this setup
 comes at a significant cost: It will be impossible to sign other people's keys