From b84107ce7977bd3bab441924eebc797a24d4b123 Mon Sep 17 00:00:00 2001 From: Fidel Ramos Date: Tue, 16 Oct 2018 19:01:41 +0000 Subject: [PATCH 1/2] Document Split GPG error Split GPG doesn't work when the private key is protected by a passphrase in the GPG backend. It took me a couple hours to find the problem and how to fix it, first because the ioctl error is not common and then because of the pinentry-ncurses limitation. I'm hoping that future users that search for "qubes gpg ioctl error" will find this information. --- security/split-gpg.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/security/split-gpg.md b/security/split-gpg.md index 9a2bd6d5..def1210b 100644 --- a/security/split-gpg.md +++ b/security/split-gpg.md @@ -74,6 +74,14 @@ signed before the operation gets approved. Perhaps the GPG backend domain could start a Disposable VM and have the to-be-signed document displayed there? To Be Determined. +- The Split GPG client will fail to sign or encrypt if the private key in the +GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl +for device"* error. Avoid setting passphrases for the private keys in the GPG +backend domain, it won't provide extra security anyway, if an attacker gains +access to it they will likely be able to get the passphrase too. If you have a +private key that already has a passphrase set use `gpg2 --edit-key `, +then `passwd`. Be aware that `pinentry-ncurses` doesn't allow setting empty +passphrases, so you would need to install `pinentry-gtk`. ## Configuring Split GPG ## From e3d7908100bd771419c027861d453a89c8c30bca Mon Sep 17 00:00:00 2001 From: Fidel Ramos Date: Sat, 20 Oct 2018 19:28:29 +0000 Subject: [PATCH 2/2] Reorganize mentions to passphrases in Split GPG I added a mention about the limitation regarding passphrase-protected GPG keys in the *Setting up the GPG backend domain* section, which is the one that users will follow up in their initial set up. Given that this issue is not specific of any QubesOS version I don't think it deserves a mention in those sections. --- security/split-gpg.md | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/security/split-gpg.md b/security/split-gpg.md index def1210b..271e819f 100644 --- a/security/split-gpg.md +++ b/security/split-gpg.md @@ -77,11 +77,11 @@ there? To Be Determined. - The Split GPG client will fail to sign or encrypt if the private key in the GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl for device"* error. Avoid setting passphrases for the private keys in the GPG -backend domain, it won't provide extra security anyway, if an attacker gains -access to it they will likely be able to get the passphrase too. If you have a -private key that already has a passphrase set use `gpg2 --edit-key `, -then `passwd`. Be aware that `pinentry-ncurses` doesn't allow setting empty -passphrases, so you would need to install `pinentry-gtk`. +backend domain, it won't provide extra security anyway, as explained before. If +you have a private key that already has a passphrase set use `gpg2 --edit-key +`, then `passwd` to set an empty passphrase. Be aware that +`pinentry-ncurses` doesn't allow setting empty passphrases, so you would need to +install `pinentry-gtk` for it to work. ## Configuring Split GPG ## @@ -123,6 +123,9 @@ for key access should be valid (default 5 minutes). This is adjustable via [user@work-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=86400" >> ~/.bash_profile +Please be aware of the caveat regarding passphrase-protected keys in the +[Current limitations][current-limitations] section. + ### Configuring the client apps to use Split GPG backend ### Normally it should be enough to set the `QUBES_GPG_DOMAIN` to the GPG backend @@ -171,14 +174,6 @@ the name of the GPG backend VM. This file survives the AppVM reboot, of course. [user@work ~]$ sudo bash [root@work ~]$ echo "work-gpg" > /rw/config/gpg-split-domain -A note on passphrases: - -You may experience trouble when attempting to use a PGP key *with a passphrase* -along with Split-GPG and Enigmail. If you do, you may need to remove the -passphrase from your (sub)key(s) in order to get Split-GPG working correctly. -As mentioned above, we do not believe PGP key passphrases to be significant -from a security perspective. - ## Qubes 4.0 Specifics ## ### Using Thunderbird + Enigmail with Split GPG ### @@ -411,4 +406,5 @@ exercise caution and use your good judgment.) [cabal]: https://alexcabal.com/creating-the-perfect-gpg-keypair/ [luck]: https://gist.github.com/abeluck/3383449 [apapadop]: https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/ +[current-limitations]: #current-limitations