Advanced Spilit GPG: Can't create subkey

Qurious · May 28, 2022, 1:10am

I am trying to set up split-gpg with subkeys, as described in section Advanced: Using Split GPG with Subkeys at Split GPG | Qubes OS.

But I can’t create the subkey.

In the vault VM, I create a master key:

[user@vault ~]$ gpg2 --full-generate-key

Then in the work-gpg VM, I cannot create a subkey of the master key in Vault VM:

[user@work-gpg ~]$ echo "export QUBES_GPG_DOMAIN=vault" > ~/.profile
[user@work-gpg ~]$ qubes-gpg-client --list-keys
/home/user/.gnupg/pubring.kbx
pub XXXXXX YYYY-MM-DD [SC]
       <something>
uid              [ultimate] xxxxxxxxxx
[user@work-gpg ~]$ qubes-gpg-client --edit-key <something>
qubes-gpg-client: unrecognized option `--edit-key`
[user@work-gpg ~]$ gpg2 --edit-key <something>
gpg (GnuPG) 2.2.27; Copyright ...
...
gpg: key "<something>" not found: No public key

How to create the subkey?

Qurious · May 28, 2022, 3:30am

I Initially think the guide means this:

Within the vault VM, create the master key with gpg2
Within the work-gpg VM, create subkey of the master key with qubes-gpg-client

But maybe the guide actually means this:

Within the vault VM, create the master key with gpg2
Within the vault VM, create a subkey of the master key with gpg2
qvm-copy the private part of the subkey from vault VM to the work-gpg VM
qvm-copy the public part of the subkey from vault VM to the work VM

The guide says:

work-gpg

This is a network-isolated VM. This VM is used only as the GPG backend for work-email. The secret subkeys (but not the master secret key) are copied from the vault VM to this VM. Files from less trusted VMs are never copied into this VM under any circumstances.

So I am at least supposed to copy the secret part of the subkey from vault VM to the work-gpg VM.