Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2025-01-23 05:41:29 -05:00
Code Issues Packages Projects Releases Wiki Activity

feat: add split-gpg2 configuration

Browse Source 
Users must migrated their keys from ~/.gnupg to the value of
isolated_gnupg_homedirs.
This commit is contained in:
Ben Grande 2024-06-17 14:26:41 +02:00
parent 59e8fc32a0
commit 1a72665a40
No known key found for this signature in database
GPG Key ID: 00C64E14F51F9E56
3 changed files with 24 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
salt/dotfiles

@ -1 +1 @@
Subproject commit 09bb64f6526aa66da031e3fa2316732d4a1ea802
Subproject commit 39a4938fb67d43af134f2effc419897dbfab40da

3
salt/qubes-builder/files/admin/policy/default.policy
View File

@ -5,9 +5,8 @@
## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.
## TODO: split-gpg2 configuration for isolated_gnupghomedirs.
qubes.Gpg2 * {{ sls_path }} @default allow target=sys-pgp
qubes.Gpg2 * {{ sls_path }} @anyvm deny
qusal.GitInit +qubes-builder {{ sls_path }} @default allow target=sys-git
qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git

24
salt/sys-pgp/README.md
View File

@ -59,5 +59,25 @@ qubes.Gpg2 * @anyvm @anyvm deny
## Usage
Consult [upstream documentation](https://www.qubes-os.org/doc/split-gpg/) on
how to use split-gpg.
Consult [upstream documentation](https://github.com/ben-grande/qubes-app-linux-split-gpg2) on
how to use split-gpg2.
Save your PGP keys to `sys-pgp`, using isolated GnuPG home directory per qube
at `~/.gnupg/split-gpg/<QUBE>`.
On `dom0`, enabled the service `split-gpg2-client` for the client qube `dev`:
```sh
qvm-features dev service.split-gpg2-client 1
```
On the qube `sys-pgp`, generate or import keys for the client qube `dev`:
```sh
mkdir -p ~/.gnupg/split-gpg/dev
gpg --homedir ~/.gnupg/split-gpg/dev --import /path/to/secret.key
gpg --homedir ~/.gnupg/split-gpg/dev --list-secret-keys
```
On the qube `dev`, import the public part of your key:
```sh
gpg --import /path/to/public.key
```