qusal/salt/sys-pgp
Ben Grande 422b01e0f6 feat: remove audiovm setting when unnecessary
Decrease audio attack surface to qubes that will never need to use it.
2024-01-20 19:34:39 +01:00
..
files/admin/policy fix: strict split-gpg2 service 2023-12-28 11:47:41 +01:00
clone.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
clone.top refactor: initial commit 2023-11-13 14:33:28 +00:00
configure.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
configure.top refactor: initial commit 2023-11-13 14:33:28 +00:00
create.sls feat: remove audiovm setting when unnecessary 2024-01-20 19:34:39 +01:00
create.top refactor: initial commit 2023-11-13 14:33:28 +00:00
init.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install-client.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
install-client.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install.sls fix: modify package names to match Qubes 4.2 2023-12-27 20:00:15 +01:00
install.top refactor: initial commit 2023-11-13 14:33:28 +00:00
README.md fix: strict split-gpg2 service 2023-12-28 11:47:41 +01:00

sys-pgp

PGP operations through Qrexec in Qubes OS.

Table of Contents

Description

Creates a PGP key holder named "sys-pgp", it will be the default target for split-gpg and split-gpg2 calls for all qubes. Keys are stored in "sys-pgp", and access to them is made from the client through Qrexec.

Installation

  • Top:
qubesctl top.enable sys-pgp
qubesctl --targets=tpl-sys-pgp,sys-pgp state.apply
qubesctl top.disable sys-pgp
  • State:
qubesctl state.apply sys-pgp.create
qubesctl --skip-dom0 --targets=tpl-sys-pgp state.apply sys-pgp.install
qubesctl --skip-dom0 --targets=sys-pgp state.apply sys-pgp.configure

Install on the client template:

qubesctl --skip-dom0 --targets=tpl-qubes-builder,tpl-dev state.apply sys-pgp.install-client

The client qube requires the split GPG client service to be enabled:

qvm-features QUBE service.split-gpg2-client

Access Control

Default policy: any qube can ask via the @default target if you allow it to use split-gpg in sys-pgp.

Allow the work qubes to access sys-pgp, but not other qubes:

qubes.Gpg2 * work   sys-pgp  ask default_target=sys-pgp
qubes.Gpg2 * work   @default ask target=sys-pgp default_target=sys-pgp
qubes.Gpg2 * @anyvm @anyvm   deny

Usage

Consult upstream documentation on how to use split-gpg.