Keep in mind that there already is a default vault VM in the setup that comes with KeePass(XC).
I think setting up split-GPG and split-SSH should be optional to make the transition from other operating systems easier. As much as I like these possibilities with Qubes, they are indeed advanced configuration topics.
What I do see is a chance to promote the possibilities of Qubes with these concepts, because their security advantage is clear to understand and it nicely shows how VMs can cooperate to achieve more then just being a hypervisor platform with different machines.
So far, I haven’t set up split-GPG myself but from the docs, it looks pretty straightforward. If split-SSH would one day be just as easy to set up, accompanied by a nice official documentation, this would imho be the best variant.
This is why I am raising this topic. If it is an unique and powerful feature of Qubes but tricky to setup than I would like to see it as default installation option.
I didn’t mean advanced in terms of “they require some knowledge and are tricky to set up” but more in the “they are something for people who want to tweak their Qubes even further” way.
I wanted to write that I do indeed like the idea of having them as a configuration option, just like you can currently decide if you want to have a vault VM or a USB VM. But the longer I think about this, the more I doubt it’s easily feasible.
Which VM should be the default GPG client domain? The mail VM?
What if a user wants to use GPG somewhere else, e.g., in a work VM to encrypt some files?
What if a user has more than one mail VM, one for work and one for private use?
Same holds for SSH. Should only one appVM be the pre-defined SSH client? What if a user wants to use split-SSH in multiple domains?
What if a user creates several VMs after the first installation, should they be auto-configured?
Which should be the VM where SSH and PGP keys are stored? All in one single vault VM, as I decided for my personal use case? Or should Qubes, as an OS with reasonable security in mind, propose to create three different vault VMs? They would all need to be running, possibly at the same time and increase the performance required to have an optimal Qubes experience.
There’s soo many options which the Qubes installer can’t simply decide for the user. Neither can it all ask them, because people would drop out of using Qubes before they even get started if they see so many questions they don’t even understand.
All in all, I think the situation with split-GPG is the best we can do.
I just skimmed the official documentation on it. Official packages for both the template VM and dom0 take over most of the manual steps currently required for split-SSH. Everything else that still needs a manual choice of the user (“which VM should be your GPG/SSH backend”?) is clearly documented.
If we could get split-SSH at the same level, I think most user interested in using it could get it started.
The installation guide in the official documentation could maybe get a section “Advanced configurations” at the end (there already is a “Next steps” section anyway).
Regarding installation guides I always liked the Arch Linux wiki and their installation guide. Here’s you to a basic working operating system and has lots of cross-links to other interesting topics for further configuration.
I am not criticizing idea but many users don’t use default appvm’s. For eg. in my case I use VM arising out of minimal templates with customization for everything. So having a default vault vm will most likely benefit only limited users(I may be biased but I want to say limited new users) only.
I would argue the opposite. In any typical system most users are not advanced. But we still need insight onto who are Qubes users / Desired target users. Only user studies / Questionnaires will be able to answer those.