Qubes Master Signing Key Architecture

The following post is a general question/theory post. Potentially someone who knows about the architecture/an actual qubes security team member could answer.

Main Question:

How do you store the QMSK?

Thoughs:

  1. Does one person have the device?
  2. I would imagine it was once under Mrs. Rutkowskas control, but now that she is emeritus, I imagine it is under Mr. Marczykowski-Goreckis possession now.
  3. A single owner of the QMSK seems like a large security vulnerability (I AM NOT CALLING ANYONE IN THE QUBES TEAM UNTRUSTWORTHY, I AM JUST WONDERING IF THERE IS A BETTER WAY TO STORE IT I AM NOT AWARE OF)
  4. (Less important) If the device is physical, which It obviously must be, where is it? Is it in bad jurisdiction?

My current final last thought:

Considering we should be inclined to always be increasing security how do they make sure that not one person is the sole custodian, if they do that. Or if they dont, are there ways to make it multi-custodian?

I have looked into Shamirs Secret Sharing Algorithm a bit, seems promising if the members can meet in person

THANK YOU TO ANYONE WHO RESPONDS AND COULD HELP ME UNDERSTAND BETTER :purple_heart:

It’s more a question of what is the alternative?

https://groups.google.com/g/qubes-devel/c/twkOEaMLtNI/m/lZyGx6_jFCEJ

Of course the canary doesn’t solve all the problems. E.g. if my signing
keys were somehow stolen without our knowledge, it wouldn’t help.
Neither it could help in case me being or becoming a miscreant. And
probably it doesn’t address many other potential problems, which could
only be solved one day with a multi-signature scheme. But anyway, until
that time, this is the best we can do, I think.

With the disclaimer that I have no idea of how the Qubes OS team manages those questions: just a small note to share that I have seen teams treat those topics with discretion as a matter of operational security. (I see that posture as related to the theory of deterrence, of which uncertainty is a key aspect.)

That is to say that few public details don’t necessarily mean that a process is brittle or that anything shady is going on.

You’ll often hear of secrecy as a bad practice in some security contexts, but it is worth keeping in mind what is true for a cryptographic algorithm is not necessarily true for an operational process.

This is something I have not considered. The possibility of a well made system existing but being kept from the public. I suppose there are some things we don’t know, or maybe shouldn’t know. I do believe that a well devised system could be made public (Shamirs Secret Sharing?), but I understand that if they see that the QMSK architecture works it should be fine. Since we have a root of trust in those individuals we should trust them to understand security measures.

1 Like

Last I heard, that’s the case:

Today, during a ceremony at an undisclosed location, Marek Marczykowski-GĂłrecki has received the Qubes Master Key from Joanna Rutkowska. pic.twitter.com/7PjXI5S2GH

— Qubes OS (@QubesOS) November 23, 2018

There’s an open issue for this:

1 Like

Thank you so much! @adw

1 Like