Some help with split-gpg2

JustAnotherQubesUser · December 14, 2025, 3:43pm

This is probably a very dumb question but how do you go about actually installing split-gpg2?

I’ve read the docs from here: GitHub - QubesOS/qubes-app-linux-split-gpg2: split-gpg v2

But perhaps I’ve misunderstood but that seems to suggest rebuilding qubes to include it. Whereas a bunch of threads seem to suggest it can just be installed.

I’ve tried various combinations of sudo dnf install split-gpg, split-gpg2, qubes-split-gpg etc and always getting a not found error.

Can someone offer some advice?

Euwiiwueir · December 14, 2025, 5:00pm

In your split-gpg2 vault template:

Install package split-gpg2
Maybe remove qubes-gpg-split if it’s installed (might not be necessary)
shutdown

In your split-gpg2 client template:

Install package split-gpg2
shutdown

Then create (or repurpose) vault and client app qubes that are backed by the templates above.

Then in dom0:

Install package split-gpg2-dom0 (edit: not actually necessary)
In a new file /etc/qubes/policy.d/30-user-gpg2.policy, add line qubes.Gpg2 + SPLIT_GPG2_CLIENT_QUBE @default allow target=SPLIT_GPG2_VAULT_QUBE but using your app qube names instead of the all-caps names
Run: qvm-service --enable SPLIT_GPG2_CLIENT_QUBE split-gpg2-client (but using your client app qube name)

In your split-gpg2 vault app qube (not template):

Setup / import your secret key (as in the doc you linked)

In your split-gpg2 client app qube (not template):

Import your public key (as in the doc you linked)

I think that covers it all. It’s not trivial to set it all up. You can have multiple client app qubes, in which case you repeat some of the steps above for each.

JustAnotherQubesUser · December 14, 2025, 5:06pm

Thanks.

This is the bit I seem to get stuck at:

sudo dnf install split-gpg2-dom0
Qubes OS Repository for Dom0                    2.9 MB/s | 3.0 kB     00:00    
No match for argument: split-gpg2-dom0
Error: Unable to find a match: split-gpg2-dom0

Euwiiwueir · December 14, 2025, 5:53pm

In dom0 you don’t usually use dnf directly to install packages. Instead you go through qubes-dom0-update:

sudo qubes-dom0-update split-gpg2-dom0

solene · December 14, 2025, 6:10pm

A new documentation page is about to be merged Rewrite Split GPG-2 tutorial by parulin · Pull Request #1514 · QubesOS/qubes-doc · GitHub

JustAnotherQubesUser · December 14, 2025, 6:40pm

ah. Thanks.

Its been a while since I’ve been using qubes. Have forgotten a lot!

tanky0u · December 14, 2025, 6:51pm

What’s the diff between qubes-gpg-split-dom0 and split-gpg2? I am using
the former one.

parulin · December 14, 2025, 7:46pm

I dont think that this step is useful:

JustAnotherQubesUser · December 14, 2025, 9:31pm

Making some progress, I think.

Running into this error in the client VM.

qubes-gpg-client-wrapper 
ERROR: Destination domain not defined! Set it with QUBES_GPG_DOMAIN env variable.

Yet in Dom0 I’m seeing:

qvm-service secure-email
key-server-VM  on
split-gpg2          on

The key is showing up when I run gpg -k in the key-server-VM

parulin · December 14, 2025, 10:15pm

qubes-gpg-client-wrapper is related to Split GPG 1

Try to follow only the instructions of one version to start somewhere.

My suggestion is that you follow these instructions about Split GPG 2 as I tested them a few days ago.

JustAnotherQubesUser · December 14, 2025, 10:19pm

Thanks.
I did follow those instructions, but there are no details relating to how to configure Thunderbird to use this split gpg.

I thought the details for Thunderbird were common to both. My mistake.

JustAnotherQubesUser · December 15, 2025, 2:42pm

So, can anyone help with advice how to get split-gpg2 working in Thunderbird?

parulin · December 15, 2025, 2:47pm

Are you able to use some basic gpg commands?

JustAnotherQubesUser · December 15, 2025, 2:48pm

Yep, key has been imported into the key server vm.

Am comfortable using gpg, just not sure what to ask it to do!

parulin · December 15, 2025, 5:48pm

The last newsletter from alimirjamali mentions some test about Thunderbird. And indeed, there is a test: qubes-app-linux-split-gpg2/tests/test_thunderbird.py at main · QubesOS/qubes-app-linux-split-gpg2 · GitHub

That could help you. You could try to follow the Split GPG-1 docs about Thunderbird without:

using /usr/bin/qubes-gpg-client-wrapper (use gpg instead)
or setting mail.openpgp.alternative_gpg_path

I don’t use Thunderbird + GPG so I’m just guessing.

solene · December 16, 2025, 11:13am

It’s now live on the documentation

parulin · December 16, 2025, 2:15pm

Out of curiosity I tried to configure Thunderbird with Split GPG-2 and it works. No need to follow Split GPG-1 docs: any how-to about Thunderbird using an external GnuPG will work. Split GPG-2 doesn’t need any extra step!

Refs:

Side note: maybe the whole Thunderbird section could be replaced in the Split GPG-1 page by something like that:

The built-in functionality is more limited currently, including that public keys must live in your work-email qube with Thunderbird rather than your offline work-gpg qube.

Follow any tutorial about smartcards or external GnuPG. The only extra step is to make sure to set mail.openpgp.alternative_gpg_path value to /usr/bin/qubes-gpg-client-wrapper.