Hi I am getting around to migrating to qubes 4.2 and have a bit of a brain block figuring out the way to setup split-gpg on it. I am likely dense but all the guides seem to cover 4.1 method and don’t include the new gui.
What I have done so far
in the gui: enabled splig gpg and set all qubes can ask for access to key-vault
on my thunderbird vm: /rw/config/gpg-split-domain contains key-vault
on my key-vault vm: .profile for “user” contains export QUBES_GPG_AUTOACCEPT=86400
This so far sort of works but not properly.
Thunderbird VM will prompt me to choose which vault contains my keys
I will be prompted to accept the access to the domain for 1 day
Each and every encrypted email I look at I am prompted to select which domain contains my gpg keys
From 4.1 guide linked to in the community guides and in the split-gpg gui in dom0 there is the option to set /etc/qubes-rpc/policy/qubes.Gpg to include along lines of @anyvm @anyvm ask,default_target=key-vault but that seems to not be correct now given the split gpg gui has a policy for qubes.Gpg and /etc/qubes-rpc/policy/qubes.Gpg does not exist
If I try to modify the gui to include a default domain I get a parsing error
This policy format has been deprecated since 4.2.
As a starting point, you can use the new qubes-split-gpg2 and follow the installation steps from the github repo:
For reference, the package is named split-gpg2 in templates and split-gpg2-dom0 in dom0.
As for Thunderbird, I can’t really help since I’ve never used it with this setup.
The policy format and the file path in your post coming from the guide are deprecated. The GUI creates a custom file with the new policy format in /etc/qubes/policy.d/50-config-splitgpg.policy
The only issue here is that it uses the “old” version and not the new one. So if you want to use split-gpg2, you need to create a new file in the policy.d directory with the policy provided in the configuration steps from the github repo.
So I think my only issues is how to use the GUI to tell the qubes they should default to “key-vault” which at the moment I am being made choose on each encrypted mail access.
If you want to get rid of the confirmation window, you can change ask to allow and default_target= to target=, but this would mean that all qubes will be able to access your key-vault qube without any confirmation. So be sure to change @anyvm to the name of the qube you use to read your mails.
And is there a way to still keep the ask and like the old method have a time limit ala the old QUBES_GPG_AUTOACCEPT
Am I missing documentation for the policy.d/*-splitgpg.policy files, if not I can look into creating something but I’m can’t be the only one who wants this sort of setup so I guess I am missing
I just tried to recreate your setup @curbs94 but i didnt managed to do so. Thunderbird is telling me “the secret key to decrypt this message is not available”
Do you have any idea what my problem is. I would be happy do even arrive at the point where you started this topic
My setup
Split gpg enabled in qubes global config gui
Config-file in thunderbird-vm contains to key-vault
thunderbird is configured to use external pgp-key as described in Split GPG | Qubes OS
I am sorry for spamming this question in your topic, i dont know if this is the right way to use this forum.
