Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-02-17 21:34:17 -05:00
Code Issues Packages Projects Releases Wiki Activity

Reorganize mentions to passphrases in Split GPG

Browse Source 
I added a mention about the limitation regarding passphrase-protected GPG keys
in the *Setting up the GPG backend domain* section, which is the one that users
will follow up in their initial set up. Given that this issue is not specific of any
QubesOS version I don't think it deserves a mention in those sections.
This commit is contained in:
Fidel Ramos 2018-10-20 19:28:29 +00:00 committed by GitHub
parent b84107ce79
commit e3d7908100
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
security/split-gpg.md
View File

@ -77,11 +77,11 @@ there? To Be Determined.
- The Split GPG client will fail to sign or encrypt if the private key in the - The Split GPG client will fail to sign or encrypt if the private key in the
GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl
for device"* error. Avoid setting passphrases for the private keys in the GPG for device"* error. Avoid setting passphrases for the private keys in the GPG
backend domain, it won't provide extra security anyway, if an attacker gains backend domain, it won't provide extra security anyway, as explained before. If
access to it they will likely be able to get the passphrase too. If you have a you have a private key that already has a passphrase set use `gpg2 --edit-key
private key that already has a passphrase set use `gpg2 --edit-key <key_id>`, <key_id>`, then `passwd` to set an empty passphrase. Be aware that
then `passwd`. Be aware that `pinentry-ncurses` doesn't allow setting empty `pinentry-ncurses` doesn't allow setting empty passphrases, so you would need to
passphrases, so you would need to install `pinentry-gtk`. install `pinentry-gtk` for it to work.
## Configuring Split GPG ## ## Configuring Split GPG ##
@ -123,6 +123,9 @@ for key access should be valid (default 5 minutes). This is adjustable via
[user@work-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=86400" >> ~/.bash_profile [user@work-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=86400" >> ~/.bash_profile
Please be aware of the caveat regarding passphrase-protected keys in the
[Current limitations][current-limitations] section.
### Configuring the client apps to use Split GPG backend ### ### Configuring the client apps to use Split GPG backend ###
Normally it should be enough to set the `QUBES_GPG_DOMAIN` to the GPG backend Normally it should be enough to set the `QUBES_GPG_DOMAIN` to the GPG backend
@ -171,14 +174,6 @@ the name of the GPG backend VM. This file survives the AppVM reboot, of course.
[user@work ~]$ sudo bash [user@work ~]$ sudo bash
[root@work ~]$ echo "work-gpg" > /rw/config/gpg-split-domain [root@work ~]$ echo "work-gpg" > /rw/config/gpg-split-domain
A note on passphrases:
You may experience trouble when attempting to use a PGP key *with a passphrase*
along with Split-GPG and Enigmail. If you do, you may need to remove the
passphrase from your (sub)key(s) in order to get Split-GPG working correctly.
As mentioned above, we do not believe PGP key passphrases to be significant
from a security perspective.
## Qubes 4.0 Specifics ## ## Qubes 4.0 Specifics ##
### Using Thunderbird + Enigmail with Split GPG ### ### Using Thunderbird + Enigmail with Split GPG ###
@ -411,4 +406,5 @@ exercise caution and use your good judgment.)
[cabal]: https://alexcabal.com/creating-the-perfect-gpg-keypair/ [cabal]: https://alexcabal.com/creating-the-perfect-gpg-keypair/
[luck]: https://gist.github.com/abeluck/3383449 [luck]: https://gist.github.com/abeluck/3383449
[apapadop]: https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/ [apapadop]: https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/
[current-limitations]: #current-limitations