Proposal for Split GPG Improvement


While thinking about the problem that a user never knows about what data is signed or decrypted while using Split GPG the following things came to my mind:


  1. Why not sending the (untrusted) data from email qube to gpg vault.
  2. Then we show the (untrusted) data in a dispvm launched out of gpg vault.
  3. If the user continues, the data will get trusted.
  4. Now the signing begins, gets send back to email qube and is sent off (can’t be changed afterwards as the signature will become invalid)


  1. Send (untrusted) data to vault
  2. Decrypt (untrusted) data
  3. show (untrusted) data in dispvm
  4. If user continues, data gets trusted
  5. trusted data is sent back
    if it wasn’t trusted, it won’t be sent back and therefore the attacker can’t use it

Trusted here of course also means that the user wants to decrypt the data.
This would also enable one to detect an infection with a probably skilled attacker.

1 Like

I have heard this proposal in the past, even from Qubes team members. But I guess it never ended up being implemented.

@deeplow Interesting… I guess you don’t know why?

Nope. Try searching on github on qubes-issues and if you can’t find it, you can open an enhancement proposal.

1 Like

Thanks, will try!

1 Like

If anyone interested, I finally found the time to make an issue: