What is the canonical usage method for OpenPGP in QubesOS?
Is split PGP ready, or is it WIP and right now the best we can do
GPG as in any Linux system?
I take this to mean
- Split GPG is work in progress - aiming to be part of QubesOS
- As of now (Aug 2013) the best QubesOS users can do is use GPG as
would on any GNU/Linux system.
Actually, the best a Qubes user might do, is to... submit some
to make real Split GPG working as described in the ticket
But generally, even if you don't use split GPG, Qubes OS still offers
some advantages, such as e.g. you can generate and keep the master
in your "vault" AppVM (e.g. network disconnected) and use it to sign
your short-term keys that are to be kept in normal AppVMs. The key
export could be then done easily via qvm-copy-to-vm (but *never*
keys to your super-secret vault AppVM, only export from it!).
That sounds like reasonably secure and not too unusable. Can you point
to any decent HOWTO online on the steps required to achieve this
offline-long-term-key and exposed-short-term-keys setup?
Take a look at the regular GnuPG docs, they talk there about a scenario
with using a separate machine for your long-term keys, IIRC.
So the docs under http://gnupg.org/documentation/howtos.en.html do not
explicitly cover this scenario - the closest one is the smartcard HOWTO,
but it's convoluted.
I found https://alexcabal.com/creating-the-perfect-gpg-keypair/ which I
think describes the scenario you have in mind. Just treat your
AppVMs as the "laptop" of the blog post. Appears to work ok, not sure
keysigning, interaction with keyservers etc. If I ever understand how
whole mess works, I might even do a writeup. Just so that I never, ever
have to figure this out again!
I maintain a document that describes how to do this:
It is not Qubes OS specific, and in fact assumes you want to use a
smartcard, which might not be the case, so skip those bits.
Also, use your vault vm instead of booting into an offline livecd as
Thanks for this abel - I see that figuring out how to sign other people's
keys is on the TODO list
I have a setup that works for me now, but it seems that signing other
people's keys and uploading to the keyserver will be a long and tricky
process... Is anyone using this setup on a day to day basis and can advise
on how to make signing other people's keys reasonably usable?
For now, as Joanna stated, I don't sign other people's keys. I don't
like to use the public WOT (keyservers) anyways.
In the one or two cases where I really did need to sign another key, I
made a duplicate of my USB key, using dd, that contains my "clean room"
OS and an encrypted partition with my master key. Then I booted, signed
the key in question, exported it via another usb stick or sd card, and
finally, destroyed the duplicate USB key.
The computer that I was booting on had it's networking hardware removed.