Unable to set up split-gpg in 4.2.7

Hello all,

i tried to set up split-gpg with the guide from official docs. Doesn’t work. Then i found a
later discussion here https://forum.qubes-os.org/t/confused-about-split-gpg-gui-under-4-2/24533
I followed the guide, but had also the “old” config steps from the original documentation configurated.

My questions to figure it out what happens here are:

  1. do i have to uninstall any package from the “old” gpg-split documentation before i install
    the split-gpg2-dom0 and split-gpg2 packages?

  2. am i right assuming that PRIVATE keys are stored in work-gpg and
    PUBLIC keys are stored in the app cube in which my email program runs?

  3. i had imported the PRIVATE keys in the network-less work-gpg and after this i removed
    the password from this keys with gpg --edit-keys and passwd. Does this work?

Perhaps there is an up-to-date-step-by-step guide for the new policys, but i cannot find it in the

Thanks in advance

Wilkommen, HerrHolle!

  1. Yes, you should uninstall old packages. I’d recommend starting with a new template if it’s not a hassle.

  2. Yes.

  3. Yes, that should be enough.

I’ll see about getting a community guide out in the coming week. Please let me know if you run into any specific problems.


thank you for your post!
after removing the old packages and solved a typing error in the 30-user-gpg2.policy the
email-cube has access to the work-gpg cube. Encryption and decryption works now. But signing failes with error code: no secret key.

I read that using only one master-key for all purposes (encryption AND signing) will fail on split-gpg. So i created an seperate signing key (RSA) with gpg --edit-key <key-id> and addkey, also without the need to type the password. But the error is still the same.

btw, i have ONLY the private ones in the work-gpg, and ONLY the public ones in the email-cube.

If theres an idea to solve this please let the forum know.

When i find time i want to summarize all steps i have made to get this running, here in this thread, additionally to the community guide comming soon.

There is still an error if i try to sign an email. Encryption, decryption and verifying a signature works as expected, PKSIGN (which is displayed as allowed by split-gpg2) shows the error “no secret key”.

This is the output from gpg --list-secret-keys --keyid-format=long from my work-gpg qube:

sec   rsa4096/647XXXXXXXXXXXXX 2020-03-02 [C]
uid                 [ultimate] Hxxxx Sxxxxxx <hxxxx.sxxxxx@xxxxx.xx>
uid                 [ultimate] Hxxxx Sxxxxxx (eigener PGP) <xxxxx.xxxxx@xxxx.xx>
ssb   rsa4096/D5A1XXXXXXXXXX 2020-03-02 [E]
ssb   rsa4096/2356XXXXXXXXXX 2024-06-26 [S]

sec   rsa4096/2FAXXXXXXXXXXX 2020-03-02 [C]
uid                 [ultimate] HXXXXXX SXXXXXX (eigener PGP) <XXXXXX@XX.XX>
ssb   rsa4096/92XXXXXXXXXXXX 2020-03-02 [E]
ssb   rsa4096/FEXXXXXXXXXXXX 2024-06-26 [S]

What are the basic requirements to set up signing with split-gpg2?

now i found something maybe interesting:

in work-gpg in folder


6 keys are listed - i assume this are my 2 master, 2 encryption and 2 signing keys (which i created new)

in work-gpg in folder


only 4 keys are listed - i assume this is the “old” configuration with a master-key [CS] and a encryption subkey [E]

can it be that this is the reason PKSIGN finds no secret key?
What to do? copy the keys from one to the other folder?

just found the error.

I didn’t know that it is important to update the public keys in the work-email qube when changes of the secret keys in work-gpg where made.

After i edited the secret keys in work-gpg (changed the usage of the masterkey from [SC] to only [C] and created a new only-sign key to match the split-gpg2 requirements) i forgot to update the pub-keys in email qube.

so, a simple export of the pubkeys in work-gpg and import them in the work-email qube solved the problem.

But in the end i dont understand why it is important for signing to have the public keys up to date, i always thougt that the private one is the only important part to sign an message…