Split-GPG - question about a guide

mateusz · September 22, 2024, 1:25pm

Hello Everyone, this is my first post on this forum.
Can someone who uses Split GPG in easy way describe how to configure it? (In case you have a pgp key and generate a new one)

gonzalo-bulnes · September 22, 2024, 1:30pm

Welcome @mateusz!

Can you give a few details about your current setup?

Is split-GPG already enabled in your system? (In which case I’d assume that you’re asking about which keys to store where, and workflow recommendations. Would that be a fair assumption?)
Or are you looking at enabling split-GPG? (That is: making sure that the VMs that need to talk to each other do it.)

mateusz · September 22, 2024, 2:10pm

My current setup is a ThinkPad with a fresh install of the latest version of QubesOS currently available (4.2.3)

Currently Split-GPG is disabled for me and I am asking how to configure it correctly and what are the recommended practices for using split-gpg to maintain a high level of security.

gonzalo-bulnes · September 22, 2024, 10:09pm

Got it. I’ll have a try at an answer, you tell me if it’s what you expect.

In Qubes OS 4.2.3, you’ll find split-GPG can be enabled as part of the official configuration tools, so I’ll skip that part.

In terms of workflow, I’d say the fundamental elements are:

there is a (offline) vault where your private keys are stored
the private keys never leave the vault
GPG operations that require the private keys (e.g. signing, decrypting…) can be requested by other qubes via an API
policies can be used to define which qubes can request those operations in the first place, and in which cases your explicit approval should be asked for (via a dom0 dialog that’s difficult to immitate)

Initial food for thought:

ideally you generate the keys inside the vault so you don’t have to deal with how much you trust the machines where the keys were stored before being copied to the vault. That’s not always practical, but copying data from less trusted to more trusted qubes is discouraged. Since a vault is ideally a high trust environment, the copying flow can be tricky.

Note that there is a version of spli-GPG with two layers of vaults that takes advantage of the fact that GPG keys can have dependent sub-keys, but I’d recommend understanding the basic mechanics of split-GPG first.

mateusz · September 23, 2024, 11:55am

so in the command line launched from the vault VM I should generate a PGP key, should its expiration date be for example 1 year 2 or 3 years or maybe without expiration time?

if the more recommended method was to generate a key for a specified period, should I extend its validity, if so how and if not, should I simply generate a new one?

and if we already have this key, what next?

the command to generate in the terminal is: (?)

gpg --full-generate-key
recommended type RSA 4096 (?)
validity (?)

generate an invalidating key
export the public key

please help with commands and further steps

gonzalo-bulnes · September 23, 2024, 12:47pm

There are a number of considerations that are not specific to split-GPG or Qubes OS, like the choice of an algorithm or expiry date.

That is general GPG advice and you’ll find more specific advice outside this forum. To get you started, I personally found the following guide useful:

Pros/cons:

The suggested setup involves keys with infrequent/restricted access, and separate subkeys for daily operation.
The subkeys are stored in a dedicated device that somewhat controls access to them while allowing their use
- the Yubikey example in the guide is similar enough to using a vault in a split-GPG setup
- but also different enough that you may find it more confusing than helpful!
The guide provides very practical advice, in a step-by-step way (I think you’ll appreciate that)
The guide also provides considerations useful when making decisions about, for example, setting expiry dates on keys
Arguably the guide is more fitted to the two-layers-of-vaults version of split-GPG that I suggested you ignore at first, so not everything would apply to a simpler split-GPG setup.

Overall, I think the guide does provide a good starting point to identify topics about GPG use or key storage that you want / need to investigate further. I hope that helps!

mateusz · September 23, 2024, 1:27pm

ok so inside the VM vault I generated a PGP RSA-4096 key /2 years validity/ created a revoke and exported the public key
What should I do now?

gonzalo-bulnes · September 24, 2024, 5:04am

Can someone familiiar with the R4.2 official split-GPG configurator chime in please?

mateusz · September 25, 2024, 9:10am

I guess no one knows… I tried to do it with the official website Split GPG | Qubes OS but without a positive result

solene · September 25, 2024, 9:13am

In the GUI “Qubes OS global config” you can configure which qubes can access which GPG vault.

You need to install the gpg wrapper in the qubes using gpg, you will need to use that wrapper command instead of the gpg command.

There is a text file /rw/config/gpg-split-domain in the qubes using gpg that should contain the vault qube name only. (for me its content is vault)

mateusz · September 25, 2024, 10:44am

i have configured Qubes OS global config

probably gpg wrapper is installed by default

where should I look for it?

gonzalo-bulnes · September 25, 2024, 11:50am

In any qubes that needs to a GPG to be performed (e.g. work) and needs to know what qube it needs to ask for GPG operations (e.g. vault).

The file is located (or must be created, if it doesn’t exist) in /rw/config/gpg-split-domain, as @solene indicated.

mateusz · September 25, 2024, 12:38pm

it works! and in Thunderbird and in the command line if I wanted to perform some actions with some pgp file