From ff018b699fe9f6ea39b2be59b2a1d61d2d818ffb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Wed, 12 Feb 2020 13:55:16 +0100 Subject: [PATCH 1/2] enigmail: add a warning about default created gpg key by enigmail Related to https://github.com/QubesOS/qubes-issues/issues/5639 --- user/security-in-qubes/split-gpg.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index db97a0e4..81bb7050 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -156,6 +156,10 @@ It is recommended to set up and use `/usr/bin/qubes-gpg-client-wrapper`, as disc ![tb-enigmail-split-gpg-settings-2.png](/attachment/wiki/SplitGpg/tb-enigmail-split-gpg-settings-2.png) +**Warning:** By default, Enigmail could generate a default GPG key in `work` associated with the newly created Thunderbird account. Generally, it corresponds to the email used in +`work-gpg` associated to your private key. In consequence, you will obtain `gpg -K` in `work` being non-empty but it _does not_ correspond to your private key in `work-gpg`. +Comparing the `fingerprint` or `expiration date` will show that they are not the same private key. In order to prevent Enigmail using this defaut generated local key in `work`, you can safely remove it. + ## Using Git with Split GPG ## Git can be configured to used with Split GPG, something useful if you would like to contribute to the Qubes OS Project as every commit is required to be signed. From 0ddbfe21043a8ac4cd369423b74e1ab30d06b175 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Fri, 14 Feb 2020 12:13:03 +0100 Subject: [PATCH 2/2] splitgpg: rewording according to Marek's comments --- user/security-in-qubes/split-gpg.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index 81bb7050..bb6101ad 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -152,14 +152,14 @@ Note that, because this makes it easier to accept Split GPG's qrexec authorizati ### Using Thunderbird + Enigmail with Split GPG ### -It is recommended to set up and use `/usr/bin/qubes-gpg-client-wrapper`, as discussed above, by pointing Enigmail at this script instead of the standard GnuPG binary: +It is recommended to set up and use `/usr/bin/qubes-gpg-client-wrapper`, as discussed above, in Thunderbird thought it's Enigmail addon. + +**Warning:** Before adding any account, configuring Enigmail with `/usr/bin/qubes-gpg-client-wrapper` is **required**. By default, Enigmail will generate a default GPG key in `work` associated with the newly created Thunderbird account. Generally, it corresponds to the email used in `work-gpg` associated to your private key. In consequence, a new, separate private key will be stored in `work` but it _does not_ correspond to your private key in `work-gpg`. Comparing the `fingerprint` or `expiration date` will show that they are not the same private key. In order to prevent Enigmail using this default generated local key in `work`, you can safely remove it. + +On a fresh Enigmail install, your need to change the default `Enigmail Junior Mode`. Go to Thunderbird preferences and then privacy tab. Select `Force Enigmail to S/MIME and Enigmail`. Then, in the preferences of Enigmail, make it pointing at `/usr/bin/qubes-gpg-client-wrapper` instead of the standard GnuPG binary: ![tb-enigmail-split-gpg-settings-2.png](/attachment/wiki/SplitGpg/tb-enigmail-split-gpg-settings-2.png) -**Warning:** By default, Enigmail could generate a default GPG key in `work` associated with the newly created Thunderbird account. Generally, it corresponds to the email used in -`work-gpg` associated to your private key. In consequence, you will obtain `gpg -K` in `work` being non-empty but it _does not_ correspond to your private key in `work-gpg`. -Comparing the `fingerprint` or `expiration date` will show that they are not the same private key. In order to prevent Enigmail using this defaut generated local key in `work`, you can safely remove it. - ## Using Git with Split GPG ## Git can be configured to used with Split GPG, something useful if you would like to contribute to the Qubes OS Project as every commit is required to be signed.