Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-01-12 15:59:37 -05:00
Code Issues Packages Projects Releases Wiki Activity

minor changes for clarity

Browse Source 
minor changes to make the split GPG instructions clearer to uncertain users.
This commit is contained in:
Marta Marczykowska-Górecka 2020-02-02 00:30:41 +01:00 committed by GitHub
parent 6ced25e79b
commit 6e02af0c7f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
user/security-in-qubes/split-gpg.md
View File

@ -65,21 +65,25 @@ In dom0, make sure the `qubes-gpg-split-dom0` package is installed.
[user@dom0 ~]$ sudo qubes-dom0-update qubes-gpg-split-dom0
If using templates based on Debian or Whonix, make sure you have the `qubes-gpg-split` package installed.
Make sure you have the `qubes-gpg-split` package installed in the template you will use for the GPG domain.
For Debian or Whonix:
[user@debian-8 ~]$ sudo apt install qubes-gpg-split
For Fedora.
For Fedora:
[user@fedora-25 ~]$ sudo dnf install qubes-gpg-split
Start with creating a dedicated AppVM for storing your keys (the GPG backend domain).
### Setting up the GPG backend domain ###
First, create a dedicated AppVM for storing your keys (we will be calling it the GPG backend domain).
It is recommended that this domain be network disconnected (set its netvm to `none`) and only used for this one purpose.
In later examples this AppVM is named `work-gpg`, but of course it might have any other name.
### Setting up the GPG backend domain ###
Make sure that gpg is installed there, and there are some private keys in the keyring, e.g.:
Make sure that gpg is installed there.
At this stage you can add the private keys you want to store there, or you can now set up Split GPG and add the keys later.
To check which private keys are in your GPG keyring, use:
[user@work-gpg ~]$ gpg -K
/home/user/.gnupg/secring.gpg
@ -91,13 +95,13 @@ Make sure that gpg is installed there, and there are some private keys in the ke
This is pretty much all that is required.
However, you might want to modify the default timeout: this tells the backend for how long the user's approval for key access should be valid.
(The default is 5 minutes.) You can change this via the `QUBES_GPG_AUTOACCEPT` variable.
(The default is 5 minutes.) You can change this via the `QUBES_GPG_AUTOACCEPT` environment variable.
You can override it e.g. in `~/.profile`:
[user@work-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=86400" >> ~/.profile
Please note that at one time, this parameter was set in ~/.bash_profile.
Please note that previously, this parameter was set in ~/.bash_profile.
This will no longer work.
If you have the parameter set in ~/.bash_profile you *must* update your configuration.