/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve Split GPG documentation #1890

Open
bnvk opened this Issue Apr 3, 2016 · 3 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Ongoing
4 participants
@bnvk @marmarek @mfc @andrewdavidwong
@bnvk

bnvk commented Apr 3, 2016

Trying configure Split GPG on my Qubes 3.1 install, I cannot get it to function. When I first started, I made sure I had qubes-gpg-split-dom0 installed in dom0. The Konsole said it was already installed, same for my Fedora 23 Template. However in Debian Standalone, I did need to install the package.

However, in none of the AppVMs that I added the QUBES_GPG_DOMAIN=my-vault value to seem to function. Running both gpg -K and gpg2 -K returns nothing and seems to only be accessing the keychain in that VM.

Upon double checking in dom0 that the package was installed, I now see the following error (even after restarting machine).

[user@dom0 ~]$ sudo qubes-dom0-update qubes-gpg-split-dom0
Using sys-whonix as UpdateVM to download updates for Dom0; this may take some time...
Running command on VM: 'sys-whonix'...
--> Running transaction check
---> Package qubes-gpg-split-dom0.x86_64 0:2.0.18-1.fc20 will be reinstalled
--> Finished Dependency Resolution
Existing lock /var/run/yum.pid: another copy is running as pid 3733.
Another app is currently holding the yum lock; waiting for it to exit...
  The other application is: PackageKit
    Memory :  43 M RSS (258 MB VSZ)
    Started: Sun Apr  3 12:29:30 2016 - 00:02 ago
    State  : Sleeping, pid: 3733
Another app is currently holding the yum lock; waiting for it to exit...
  The other application is: PackageKit
    Memory :  43 M RSS (258 MB VSZ)
    Started: Sun Apr  3 12:29:30 2016 - 00:04 ago
    State  : Sleeping, pid: 3733
Another app is currently holding the yum lock; waiting for it to exit...
  The other application is: PackageKit
    Memory :  43 M RSS (258 MB VSZ)
    Started: Sun Apr  3 12:29:30 2016 - 00:06 ago
    State  : Sleeping, pid: 3733
qubes-dom0-cached                                                                                                                      | 3.6 kB  00:00:00     
Package qubes-gpg-split-dom0-2.0.18-1.fc20.x86_64 already installed and latest version
Nothing to do
[user@dom0 ~]$
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Apr 3, 2016

Member

However, in none of the AppVMs that I added the QUBES_GPG_DOMAIN=my-vault value to seem to function. Running both gpg -K and gpg2 -K returns nothing and seems to only be accessing the keychain in that VM.

That's expected behaviour. You need to call qubes-gpg-client-wrapper to
actually use split gpg. And configure applications you use to call this
instead of gpg/gpg2.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Member

marmarek commented Apr 3, 2016

However, in none of the AppVMs that I added the QUBES_GPG_DOMAIN=my-vault value to seem to function. Running both gpg -K and gpg2 -K returns nothing and seems to only be accessing the keychain in that VM.

That's expected behaviour. You need to call qubes-gpg-client-wrapper to
actually use split gpg. And configure applications you use to call this
instead of gpg/gpg2.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
@bnvk

This comment has been minimized.

Show comment
Hide comment
@bnvk

bnvk Apr 3, 2016

@marmarek ah right, thanks for clarifying. I will tweak the docs page to make this a lil more clear!

bnvk commented Apr 3, 2016

@marmarek ah right, thanks for clarifying. I will tweak the docs page to make this a lil more clear!

@bnvk bnvk self-assigned this Apr 3, 2016

@bnvk bnvk added the C: doc label Apr 3, 2016

@bnvk bnvk changed the title from Unable to get Split GPG to function to Improve Split GPG documentation Apr 3, 2016

@andrewdavidwong andrewdavidwong added this to the Documentation/website milestone Apr 6, 2016

@andrewdavidwong andrewdavidwong added enhancement P: minor labels Apr 7, 2016

@mfc

This comment has been minimized.

Show comment
Hide comment
@mfc

mfc May 24, 2016

Member

it would probably be useful in the documentation to have each step be numbered, to avoid these types of issues (I also had issues by accidentally skipping a step).

more generally, it may be good to also have a "good practices" section or something. for example, similar to a pgp smartcard, it probably makes sense to shutdown your split-gpg vm when you are away from your computer, in order to prevent potentially malicious vms from hammering your split-gpg to decrypt things (given the split-gpg access log has no timestamps).
Member

mfc commented May 24, 2016

it would probably be useful in the documentation to have each step be numbered, to avoid these types of issues (I also had issues by accidentally skipping a step).

more generally, it may be good to also have a "good practices" section or something. for example, similar to a pgp smartcard, it probably makes sense to shutdown your split-gpg vm when you are away from your computer, in order to prevent potentially malicious vms from hammering your split-gpg to decrypt things (given the split-gpg access log has no timestamps).

@andrewdavidwong andrewdavidwong unassigned bnvk Sep 16, 2016

@andrewdavidwong andrewdavidwong added the help wanted label Mar 18, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment