Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2024-09-20 17:25:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
bfd7b228c5
qusal/salt/sys-pgp
History
Ben Grande f9ead06408 fix: remove extraneous package repository updates 
Updates happens multiple times, normally 2 to 3, even if we consider a
state without includes. On states with multiple includes, it could
easily get approximately 10 updates being ran. This behavior leads to
unnecessary network bandwidth being spent and more time to run the
installation state. When the connection is slow and not using the
cacher, such as torified connections on Whonix, the installation can
occurs much faster.

Adding external repositories has to be done prior to update to ensure it
is also fetched.

Fixes: https://github.com/ben-grande/qusal/issues/29
2024-03-18 17:51:36 +01:00
..
files/admin/policy fix: strict split-gpg2 service 2023-12-28 11:47:41 +01:00
clone.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
clone.top refactor: initial commit 2023-11-13 14:33:28 +00:00
configure.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
configure.top refactor: initial commit 2023-11-13 14:33:28 +00:00
create.sls chore: copyright update 2024-01-29 16:49:54 +01:00
create.top refactor: initial commit 2023-11-13 14:33:28 +00:00
init.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install-client.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
install-client.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install.sls fix: remove extraneous package repository updates 2024-03-18 17:51:36 +01:00
install.top refactor: initial commit 2023-11-13 14:33:28 +00:00
README.md doc: prefix qubesctl with sudo 2024-02-23 16:55:11 +01:00

README.md

sys-pgp

PGP operations through Qrexec in Qubes OS.

Table of Contents

Description

Creates a PGP key holder named "sys-pgp", it will be the default target for split-gpg and split-gpg2 calls for all qubes. Keys are stored in "sys-pgp", and access to them is made from the client through Qrexec.

Installation

  • Top:
sudo qubesctl top.enable sys-pgp
sudo qubesctl --targets=tpl-sys-pgp,sys-pgp state.apply
sudo qubesctl top.disable sys-pgp
  • State:
sudo qubesctl state.apply sys-pgp.create
sudo qubesctl --skip-dom0 --targets=tpl-sys-pgp state.apply sys-pgp.install
sudo qubesctl --skip-dom0 --targets=sys-pgp state.apply sys-pgp.configure

Install on the client template:

sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder,tpl-dev state.apply sys-pgp.install-client

The client qube requires the split GPG client service to be enabled:

qvm-features QUBE service.split-gpg2-client

Access Control

Default policy: any qube can ask via the @default target if you allow it to use split-gpg in sys-pgp.

Allow the work qubes to access sys-pgp, but not other qubes:

qubes.Gpg2 * work   sys-pgp  ask default_target=sys-pgp
qubes.Gpg2 * work   @default ask target=sys-pgp default_target=sys-pgp
qubes.Gpg2 * @anyvm @anyvm   deny

Usage

Consult upstream documentation on how to use split-gpg.