mirror of
https://github.com/ben-grande/qusal.git
synced 2024-10-01 02:35:49 -04:00
| .. | ||
| files/admin/policy | ||
| clone.sls | ||
| clone.top | ||
| configure.sls | ||
| configure.top | ||
| create.sls | ||
| create.top | ||
| init.top | ||
| install-client.sls | ||
| install-client.top | ||
| install.sls | ||
| install.top | ||
| README.md | ||
sys-pgp
PGP operations through Qrexec in Qubes OS.
Table of Contents
Description
Creates a PGP key holder named "sys-pgp", it will be the default target for split-gpg and split-gpg2 calls for all qubes. Keys are stored in "sys-pgp", and access to them is made from the client through Qrexec.
Installation
- Top:
qubesctl top.enable sys-pgp
qubesctl --targets=tpl-sys-pgp,sys-pgp state.apply
qubesctl top.disable sys-pgp
- State:
qubesctl state.apply sys-pgp.create
qubesctl --skip-dom0 --targets=tpl-sys-pgp state.apply sys-pgp.install
qubesctl --skip-dom0 --targets=sys-pgp state.apply sys-pgp.configure
Install on the client template:
qubesctl --skip-dom0 --targets=tpl-qubes-builder,tpl-dev state.apply sys-pgp.install-client
The client qube requires the split GPG client service to be enabled:
qvm-features QUBE service.split-gpg2-client
Access Control
Default policy: any qube can ask via the @default target if you allow
it to use split-gpg in sys-pgp.
Allow the work qubes to access sys-pgp, but not other qubes:
qubes.Gpg2 * work sys-pgp ask default_target=sys-pgp
qubes.Gpg2 * work @default ask target=sys-pgp default_target=sys-pgp
qubes.Gpg2 * @anyvm @anyvm deny
qubes.Gpg * work sys-pgp ask default_target=sys-pgp
qubes.Gpg * work @default ask target=sys-pgp default_target=sys-pgp
qubes.Gpg * @anyvm @anyvm deny
Usage
Consult upstream documentation on how to use split-gpg.