Split GPG with hardware authentication device (YubiKey, OnlyKey, Librem Key, Trezor, Ledger, etc.)

Is it possible to use Split GPG with an authentication device such as YubiKey, OnlyKey, Librem Key, Trezor, Ledger, etc.?

I’m able to use GPG with the device in my vault-gpg VM, but when done from another VM with qubes-gpg-client-wrapper, I get this error:

gpg: decryption failed: No secret key

But I still get the desktop notification saying “Keyring access from domain: my-qube”.

So it seems Split GPG is unable to communicate with the hardware authentication device.

It is possible. You need to attach the Yubikey to the vault-vm you want to use with split-gpg.

1 Like

But that’s what I’m doing.

It would help to know some basic info about your setup then:

  • What template(s) are vault and client based on? Debian/Fedora
  • Is the template minimal or default?
  • What packages did you install in each?

Just to rule everything out, did you correctly export the QUBES_GPG_DOMAIN variable in your client vm?

Can you run qubes-gpg-client -K in your client vm?

I regularly use mine and it works well, so it’s definitely supported. Hopefully we can get your setup working as well.

I have the same issue using Trezor with a passphrase. Both vault and client are using the Debian template.

qubes-gpg-client -K returns an empty output, but I see the desktop notification saying the client is accessing the vault VM.

QUBES_GPG_DOMAIN correctly set. Same output running QUBES_GPG_DOMAIN=vault qubes-gpg-client -K.

I believe the problem is the Trezor passphrase.

I thought Trezor and Ledger were cryptocurrency hardware wallets. Do they support PGP/GPG keys too?

Yes, you can generate PGP/GPG keys and also SSH keys with Trezor and Ledger. If you use a passphrase then the GPG or SSH key generated is different than the one you would get with the seed without the extra passphrase.

Trezor and Ledger can also do U2F.

You can do anything that YubiKey and others do, plus cryptocurrency, with a Trezor or a Ledger.

It’s cool to hear that, but I wouldn’t trust a Trezor or Ledger for both crypto and gpg/ssh keys. They are completely different things and is the same as giving both your money and your identity to someone if they steal it somehow(even in a encrypted state, I think it not worth it).