Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-02-05 01:15:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

Document Split GPG error

Browse Source 
Split GPG doesn't work when the private key is protected by a passphrase in the
GPG backend. It took me a couple hours to find the problem and how to fix it,
first because the ioctl error is not common and then because of the
pinentry-ncurses limitation. I'm hoping that future users that search for "qubes
gpg ioctl error" will find this information.
This commit is contained in:
Fidel Ramos 2018-10-16 19:01:41 +00:00 committed by GitHub
parent 8f77ebcf07
commit b84107ce79
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
security/split-gpg.md
View File

@ -74,6 +74,14 @@ signed before the operation gets approved. Perhaps the GPG backend domain
could start a Disposable VM and have the to-be-signed document displayed
there? To Be Determined.
- The Split GPG client will fail to sign or encrypt if the private key in the
GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl
for device"* error. Avoid setting passphrases for the private keys in the GPG
backend domain, it won't provide extra security anyway, if an attacker gains
access to it they will likely be able to get the passphrase too. If you have a
private key that already has a passphrase set use `gpg2 --edit-key <key_id>`,
then `passwd`. Be aware that `pinentry-ncurses` doesn't allow setting empty
passphrases, so you would need to install `pinentry-gtk`.
## Configuring Split GPG ##