minor changes for clarity

minor changes to make the split GPG instructions clearer to uncertain users.
This commit is contained in:
Marta Marczykowska-Górecka 2020-02-02 00:30:41 +01:00 committed by GitHub
parent 6ced25e79b
commit 6e02af0c7f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -64,22 +64,26 @@ This way it would be easy to spot unexpected requests to decrypt documents.
In dom0, make sure the `qubes-gpg-split-dom0` package is installed. In dom0, make sure the `qubes-gpg-split-dom0` package is installed.
[user@dom0 ~]$ sudo qubes-dom0-update qubes-gpg-split-dom0 [user@dom0 ~]$ sudo qubes-dom0-update qubes-gpg-split-dom0
Make sure you have the `qubes-gpg-split` package installed in the template you will use for the GPG domain.
If using templates based on Debian or Whonix, make sure you have the `qubes-gpg-split` package installed. For Debian or Whonix:
[user@debian-8 ~]$ sudo apt install qubes-gpg-split [user@debian-8 ~]$ sudo apt install qubes-gpg-split
For Fedora. For Fedora:
[user@fedora-25 ~]$ sudo dnf install qubes-gpg-split [user@fedora-25 ~]$ sudo dnf install qubes-gpg-split
Start with creating a dedicated AppVM for storing your keys (the GPG backend domain). ### Setting up the GPG backend domain ###
First, create a dedicated AppVM for storing your keys (we will be calling it the GPG backend domain).
It is recommended that this domain be network disconnected (set its netvm to `none`) and only used for this one purpose. It is recommended that this domain be network disconnected (set its netvm to `none`) and only used for this one purpose.
In later examples this AppVM is named `work-gpg`, but of course it might have any other name. In later examples this AppVM is named `work-gpg`, but of course it might have any other name.
### Setting up the GPG backend domain ### Make sure that gpg is installed there.
At this stage you can add the private keys you want to store there, or you can now set up Split GPG and add the keys later.
Make sure that gpg is installed there, and there are some private keys in the keyring, e.g.: To check which private keys are in your GPG keyring, use:
[user@work-gpg ~]$ gpg -K [user@work-gpg ~]$ gpg -K
/home/user/.gnupg/secring.gpg /home/user/.gnupg/secring.gpg
@ -91,13 +95,13 @@ Make sure that gpg is installed there, and there are some private keys in the ke
This is pretty much all that is required. This is pretty much all that is required.
However, you might want to modify the default timeout: this tells the backend for how long the user's approval for key access should be valid. However, you might want to modify the default timeout: this tells the backend for how long the user's approval for key access should be valid.
(The default is 5 minutes.) You can change this via the `QUBES_GPG_AUTOACCEPT` variable. (The default is 5 minutes.) You can change this via the `QUBES_GPG_AUTOACCEPT` environment variable.
You can override it e.g. in `~/.profile`: You can override it e.g. in `~/.profile`:
[user@work-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=86400" >> ~/.profile [user@work-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=86400" >> ~/.profile
Please note that at one time, this parameter was set in ~/.bash_profile. Please note that previously, this parameter was set in ~/.bash_profile.
This will no longer work. This will no longer work.
If you have the parameter set in ~/.bash_profile you *must* update your configuration. If you have the parameter set in ~/.bash_profile you *must* update your configuration.