Confused about split-gpg gui under 4.2

Hi I am getting around to migrating to qubes 4.2 and have a bit of a brain block figuring out the way to setup split-gpg on it. I am likely dense but all the guides seem to cover 4.1 method and don’t include the new gui.

What I have done so far

in the gui: enabled splig gpg and set all qubes can ask for access to key-vault

on my thunderbird vm: /rw/config/gpg-split-domain contains key-vault

on my key-vault vm: .profile for “user” contains export QUBES_GPG_AUTOACCEPT=86400

This so far sort of works but not properly.

  1. Thunderbird VM will prompt me to choose which vault contains my keys
  2. I will be prompted to accept the access to the domain for 1 day
  3. Each and every encrypted email I look at I am prompted to select which domain contains my gpg keys

From 4.1 guide linked to in the community guides and in the split-gpg gui in dom0 there is the option to set /etc/qubes-rpc/policy/qubes.Gpg to include along lines of @anyvm @anyvm ask,default_target=key-vault but that seems to not be correct now given the split gpg gui has a policy for qubes.Gpg and /etc/qubes-rpc/policy/qubes.Gpg does not exist

If I try to modify the gui to include a default domain I get a parsing error

qubes.Gpg * @anyvm key-vault ask,default_target=key-vault

Is there something I am overlooking to get my thunderbird domain to stop getting me to pick the appvm my keys exist in?

This policy format has been deprecated since 4.2.
As a starting point, you can use the new qubes-split-gpg2 and follow the installation steps from the github repo:

For reference, the package is named split-gpg2 in templates and split-gpg2-dom0 in dom0.

As for Thunderbird, I can’t really help since I’ve never used it with this setup.

I see. so what is the point of the gui setup in dom0 that comes with 4.2 if it has been depreciated?

The policy format and the file path in your post coming from the guide are deprecated. The GUI creates a custom file with the new policy format in /etc/qubes/policy.d/50-config-splitgpg.policy

The only issue here is that it uses the “old” version and not the new one. So if you want to use split-gpg2, you need to create a new file in the policy.d directory with the policy provided in the configuration steps from the github repo.

ah ok I understand now.

So I think my only issues is how to use the GUI to tell the qubes they should default to “key-vault” which at the moment I am being made choose on each encrypted mail access.

As far as I can see, you are not able to use “default_target” from the GUI.

If you want this to happen, you need to create a new file with a higher priority.

For example, you can create this file /etc/qubes/policy.d/30-user-splitgpg.policy with this in it:

qubes.Gpg	*	@anyvm	key-vault	ask	default_target=key-vault

Thanks that did help in that it now knows to pre-select the key-vault though it still asks for it on each email read.

If you want to get rid of the confirmation window, you can change ask to allow and default_target= to target=, but this would mean that all qubes will be able to access your key-vault qube without any confirmation. So be sure to change @anyvm to the name of the qube you use to read your mails.

nice thank you for all this!

And is there a way to still keep the ask and like the old method have a time limit ala the old QUBES_GPG_AUTOACCEPT

Am I missing documentation for the policy.d/*-splitgpg.policy files, if not I can look into creating something but I’m can’t be the only one who wants this sort of setup so I guess I am missing :slight_smile:

I just tried to recreate your setup @curbs94 but i didnt managed to do so. Thunderbird is telling me “the secret key to decrypt this message is not available”
Do you have any idea what my problem is. I would be happy do even arrive at the point where you started this topic :slight_smile:
My setup

  • Split gpg enabled in qubes global config gui
  • Config-file in thunderbird-vm contains to key-vault
  • thunderbird is configured to use external pgp-key as described in Split GPG | Qubes OS

I am sorry for spamming this question in your topic, i dont know if this is the right way to use this forum.

Anyways, would be happy to get help