Setting up split-gpg2

User Support
1

Hi,

i am currently trying to set up split-gpg2 by following this documentation.

  • In dom0 i installed split-gpg2-dom0
  • in my gpg-vault (based on debian minimal) i only installed gnupg and split-gpg2
  • in my gpg-client (based on debian minimal) i also installed gnupg and split-gpg2
  • i have enabled the split-gpg2-client service for my gpg-client. qvm-service gpg-client split-gpg2-client returns split-gpg2-client on
  • i added the corresponding lines in /etc/qubes/policy.d/30-user-gpg2.policy.
  • I generated new keys (with no password) in the gpg-vault, and exported & imported the secret-keys-export and ownertrust-export in my gpg-client (as explained in the documentation)
  • Running gpg --list-keys prints my correct gpg public key.
  • However, running gpg -K fails:
user@q-ssh:~$ gpg -K -vvv
gpg: using character set 'iso-8859-1'
gpg: using pgp trust model
gpg: key 8D6C17887446EB90: accepted as trusted key
gpg: no running gpg-agent - starting '/usr/share/split-gpg2/gpg-agent-placeholder'
gpg: removing stale lockfile (created by 1563)
gpg: waiting for the agent to come up ... (5s)
gpg: waiting for the agent to come up ... (4s)
gpg: waiting for the agent to come up ... (3s)
gpg: waiting for the agent to come up ... (2s)
gpg: waiting for the agent to come up ... (1s)
gpg: can't connect to the agent: End of file

The qubes policy file is correct because if the gpg-vault is not started and I run gpg -K then the gpg-vault gets started.
I did not follow the “old” split-gpg documentation so i also didn’t install qubes-gpg-split etc. because based on my (limited) understanding the olds configs should not be needed anymore (?)

Edit: I think i was wrong, while the gpg-vault got started everytime i ran gpg-K in the client it now doesnt anymore. Also, if i run gpg --list-private-keys in the gpg-vault i get a low of time this error:

"Denied: qubes.Gpg2 from gpg-vault to @default"

This is my /etc/qubes/policy.d/30-user-gpg2.policy:

qubes.Gpg2 + gpg-client @default allow target=gpg-vault

The service split-gpg2-client is the gpg-client is still on.

Another question:
Do i have to install split-gpg2 both in gpg-vault and gpg-client?

Next day:
I tried again some things. Now, the first time i run gpg -K in gpg-client it starts the gpg-vault, then i get the error again:

"Denied: qubes.Gpg2 from gpg-vault to @default"

I’d now like to understand this syntax, what does the @allow really mean How can the “+” part be interpreted?

qubes.Gpg2 + gpg-client @default allow target=gpg-vault
2

Deleted because it is outdated. Every interesting observation is now in the original post.

3

I somehow got it running by a clean reinstall of the templates and appvm. I am using Saltstack, so i don’t know why the reinstall now worked ( i did not change my salt states). However, I am happy.