my split gpg2 isnt passing private keys/stubs to the client vm.
gpg -k works as intended
gpg -K has no output.
would anybody be able to assist or point me in the right direction, spend all last night trying to figure it out
How have you configured split-gpg2? Have you used gpg previously in your client qube?
You need to provide more information for us to be able to help you.
its a somewhat fresh install, no previous split gpg.
packages installed in both client and vault.
service enabled for client vm
dom0 Policy
qubes.Gpg2 * client @default allow target=vault
gpg in the vault is configured to use a yubikey.
followed the documentation untill gpg -K where mine failed
what information am I possibly missing that I can provide?
1 Like
while configuring split gpg 2 with a yubikey in the server qube I ran into an issue, GPG -K is returning with no output and I haven’t found a fix. is this a limitation with split gpg2 and smart cards? no private key material/stubs are being sent from the server to the client.
not entirely sure whats happening or if its even supported at this point.
Dom0 Policy
qubes.Gpg2 * client @default allow target=vault
split-gpg2-client service enabled for client vm
public key and owner trust imported
gpg -k/-K outputs for both client and server below
user@server:~$ gpg -k
/home/user/.gnupg/pubring.kbx
-----------------------------
pub ed25519 0000-00-00 [C] [expires: 0000-00-00]
35Bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
uid [ultimate] user
sub ed25519 0000-00-00 [S] [expires: 0000-00-00]
sub cv25519 0000-00-00 [E] [expires: 0000-00-00]
sub ed25519 0000-00-00 [A] [expires: 0000-00-00]
user@server:~$ gpg -K
/home/user/.gnupg/pubring.kbx
-----------------------------
sec# ed25519 0000-00-00 [C] [expires: 0000-00-00]
35Bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
uid [ultimate] user
ssb> ed25519 0000-00-00 [S] [expires: 0000-00-00]
ssb> cv25519 0000-00-00 [E] [expires: 0000-00-00]
ssb> ed25519 0000-00-00 [A] [expires: 0000-00-00]
user@client:~
❯ gpg -k
/home/user/.gnupg/pubring.kbx
-----------------------------
pub ed25519 0000-00-00 [C] [expires: 0000-00-00]
35Bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
uid [ultimate] user
sub ed25519 0000-00-00 [S] [expires: 0000-00-00]
sub cv25519 0000-00-00 [E] [expires: 0000-00-00]
sub ed25519 0000-00-00 [A] [expires: 0000-00-00]
user@client:~
❯ gpg -K
found a fix, It was the qubes auto keyring not syncing with the smart card.
1 Like
Are you sure that you imported the public keys in client?
If yes, try setting the policy in dom0, /etc/qubes/policy.d/30-user-gpg2.policy to ask.
See if you even get a qrexec call at all. (You should be getting a dialogue, same as the one for moving files between qubes.) Also, make sure you added the policy in the correct place.
If you are not getting a dialogue at all, then you probably forgot to enable the service. Run in dom0:
$ qvm-service --enable client split-gpg2-client
In the command above ^ substitute “client” for the actual client qube name.
Ah, didn’t see you found a fix…
No problem thanks for the help! I wasn’t aware it uses a separate key-ring by default and the qubes automatic key-ring wasn’t picking up the smart card.
I disabled it with source_keyring_dir = no but im sure there is a cleaner fix.