Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-10-01 01:25:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'patch-1' of https://github.com/haplo/qubes-doc into haplo-patch-1

Browse Source
This commit is contained in:
Andrew David Wong 2018-10-23 19:07:14 -05:00
commit 8fdcd22bfc
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
security/split-gpg.md
View File

@ -74,6 +74,14 @@ signed before the operation gets approved. Perhaps the GPG backend domain
could start a Disposable VM and have the to-be-signed document displayed
there? To Be Determined.
- The Split GPG client will fail to sign or encrypt if the private key in the
GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl
for device"* error. Avoid setting passphrases for the private keys in the GPG
backend domain, it won't provide extra security anyway, as explained before. If
you have a private key that already has a passphrase set use `gpg2 --edit-key
<key_id>`, then `passwd` to set an empty passphrase. Be aware that
`pinentry-ncurses` doesn't allow setting empty passphrases, so you would need to
install `pinentry-gtk` for it to work.
## Configuring Split GPG ##
@ -115,6 +123,9 @@ for key access should be valid (default 5 minutes). This is adjustable via
[user@work-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=86400" >> ~/.bash_profile
Please be aware of the caveat regarding passphrase-protected keys in the
[Current limitations][current-limitations] section.
### Configuring the client apps to use Split GPG backend ###
Normally it should be enough to set the `QUBES_GPG_DOMAIN` to the GPG backend
@ -163,14 +174,6 @@ the name of the GPG backend VM. This file survives the AppVM reboot, of course.
[user@work ~]$ sudo bash
[root@work ~]$ echo "work-gpg" > /rw/config/gpg-split-domain
A note on passphrases:
You may experience trouble when attempting to use a PGP key *with a passphrase*
along with Split-GPG and Enigmail. If you do, you may need to remove the
passphrase from your (sub)key(s) in order to get Split-GPG working correctly.
As mentioned above, we do not believe PGP key passphrases to be significant
from a security perspective.
## Qubes 4.0 Specifics ##
### Using Thunderbird + Enigmail with Split GPG ###
@ -403,4 +406,5 @@ exercise caution and use your good judgment.)
[cabal]: https://alexcabal.com/creating-the-perfect-gpg-keypair/
[luck]: https://gist.github.com/abeluck/3383449
[apapadop]: https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/
[current-limitations]: #current-limitations