qusal/salt/vault/README.md

47 lines
1.1 KiB
Markdown
Raw Normal View History

2023-11-13 09:33:28 -05:00
# vault
Vault environment in Qubes OS.
## Table of Contents
* [Description](#description)
* [Installation](#installation)
* [Usage](#usage)
2023-11-13 09:33:28 -05:00
## Description
An offline qube will be created and named "vault", it will have a password
manager for high entropy passwords, PGP and SSH client for creating private
keys.
## Installation
* Top:
2023-11-13 09:33:28 -05:00
```sh
sudo qubesctl top.enable vault
sudo qubesctl --targets=tpl-vault state.apply
sudo qubesctl top.disable vault
sudo qubesctl state.apply vault.appmenus
2023-11-13 09:33:28 -05:00
```
* State:
2023-11-13 09:33:28 -05:00
<!-- pkg:begin:post-install -->
2023-11-13 09:33:28 -05:00
```sh
sudo qubesctl state.apply vault.create
sudo qubesctl --skip-dom0 --targets=tpl-vault state.apply vault.install
sudo qubesctl state.apply vault.appmenus
2023-11-13 09:33:28 -05:00
```
2023-11-13 09:33:28 -05:00
<!-- pkg:end:post-install -->
## Usage
The intended usage is to hold passwords and keys. You should copy the keys
generated from the vault to another qube, which can be a split agent
server for SSH, PGP, Pass. A compromise of the client qube can escalate into a
compromise of the qubes it can run RPC services, therefore a separate vault is
appropriate according to your threat model.