mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2025-01-26 06:26:18 -05:00
minor changes for clarity
minor changes to make the split GPG instructions clearer to uncertain users.
This commit is contained in:
parent
6ced25e79b
commit
6e02af0c7f
@ -64,22 +64,26 @@ This way it would be easy to spot unexpected requests to decrypt documents.
|
|||||||
In dom0, make sure the `qubes-gpg-split-dom0` package is installed.
|
In dom0, make sure the `qubes-gpg-split-dom0` package is installed.
|
||||||
|
|
||||||
[user@dom0 ~]$ sudo qubes-dom0-update qubes-gpg-split-dom0
|
[user@dom0 ~]$ sudo qubes-dom0-update qubes-gpg-split-dom0
|
||||||
|
|
||||||
|
Make sure you have the `qubes-gpg-split` package installed in the template you will use for the GPG domain.
|
||||||
|
|
||||||
If using templates based on Debian or Whonix, make sure you have the `qubes-gpg-split` package installed.
|
For Debian or Whonix:
|
||||||
|
|
||||||
[user@debian-8 ~]$ sudo apt install qubes-gpg-split
|
[user@debian-8 ~]$ sudo apt install qubes-gpg-split
|
||||||
|
|
||||||
For Fedora.
|
For Fedora:
|
||||||
|
|
||||||
[user@fedora-25 ~]$ sudo dnf install qubes-gpg-split
|
[user@fedora-25 ~]$ sudo dnf install qubes-gpg-split
|
||||||
|
|
||||||
Start with creating a dedicated AppVM for storing your keys (the GPG backend domain).
|
### Setting up the GPG backend domain ###
|
||||||
|
|
||||||
|
First, create a dedicated AppVM for storing your keys (we will be calling it the GPG backend domain).
|
||||||
It is recommended that this domain be network disconnected (set its netvm to `none`) and only used for this one purpose.
|
It is recommended that this domain be network disconnected (set its netvm to `none`) and only used for this one purpose.
|
||||||
In later examples this AppVM is named `work-gpg`, but of course it might have any other name.
|
In later examples this AppVM is named `work-gpg`, but of course it might have any other name.
|
||||||
|
|
||||||
### Setting up the GPG backend domain ###
|
Make sure that gpg is installed there.
|
||||||
|
At this stage you can add the private keys you want to store there, or you can now set up Split GPG and add the keys later.
|
||||||
Make sure that gpg is installed there, and there are some private keys in the keyring, e.g.:
|
To check which private keys are in your GPG keyring, use:
|
||||||
|
|
||||||
[user@work-gpg ~]$ gpg -K
|
[user@work-gpg ~]$ gpg -K
|
||||||
/home/user/.gnupg/secring.gpg
|
/home/user/.gnupg/secring.gpg
|
||||||
@ -91,13 +95,13 @@ Make sure that gpg is installed there, and there are some private keys in the ke
|
|||||||
|
|
||||||
This is pretty much all that is required.
|
This is pretty much all that is required.
|
||||||
However, you might want to modify the default timeout: this tells the backend for how long the user's approval for key access should be valid.
|
However, you might want to modify the default timeout: this tells the backend for how long the user's approval for key access should be valid.
|
||||||
(The default is 5 minutes.) You can change this via the `QUBES_GPG_AUTOACCEPT` variable.
|
(The default is 5 minutes.) You can change this via the `QUBES_GPG_AUTOACCEPT` environment variable.
|
||||||
You can override it e.g. in `~/.profile`:
|
You can override it e.g. in `~/.profile`:
|
||||||
|
|
||||||
[user@work-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=86400" >> ~/.profile
|
[user@work-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=86400" >> ~/.profile
|
||||||
|
|
||||||
|
|
||||||
Please note that at one time, this parameter was set in ~/.bash_profile.
|
Please note that previously, this parameter was set in ~/.bash_profile.
|
||||||
This will no longer work.
|
This will no longer work.
|
||||||
If you have the parameter set in ~/.bash_profile you *must* update your configuration.
|
If you have the parameter set in ~/.bash_profile you *must* update your configuration.
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user