Skip to content

Commit

Permalink
feat: add split-gpg2 configuration
Browse files Browse the repository at this point in the history 
Users must migrated their keys from ~/.gnupg to the value of
isolated_gnupg_homedirs.
  • Loading branch information
@ben-grande
ben-grande committed Jun 17, 2024
1 parent 59e8fc3 commit 1a72665
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 5 deletions.
2 changes: 1 addition & 1 deletion salt/dotfiles
Submodule dotfiles updated 4 files
+8 −0 files/dom0/.local/bin/dom0/qubesctl
+0 −0 files/pgp/.config/qubes-split-gpg2/conf.d/.gitignore
+12 −0 files/pgp/.config/qubes-split-gpg2/qubes-split-gpg2.conf
+2 −1 files/sh/.config/sh/shrc
3 changes: 1 addition & 2 deletions salt/qubes-builder/files/admin/policy/default.policy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,8 @@

## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.

## TODO: split-gpg2 configuration for isolated_gnupghomedirs.
qubes.Gpg2 * {{ sls_path }} @default allow target=sys-pgp
qubes.Gpg2 * {{ sls_path }} @anyvm deny

qusal.GitInit +qubes-builder {{ sls_path }} @default allow target=sys-git
qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git
Expand Down
24 changes: 22 additions & 2 deletions salt/sys-pgp/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,5 +59,25 @@ qubes.Gpg2 * @anyvm @anyvm deny

## Usage

Consult [upstream documentation](https://www.qubes-os.org/doc/split-gpg/) on
how to use split-gpg.
Consult [upstream documentation](https://github.com/ben-grande/qubes-app-linux-split-gpg2) on
how to use split-gpg2.

Save your PGP keys to `sys-pgp`, using isolated GnuPG home directory per qube
at `~/.gnupg/split-gpg/<QUBE>`.

On `dom0`, enabled the service `split-gpg2-client` for the client qube `dev`:
```sh
qvm-features dev service.split-gpg2-client 1
```

On the qube `sys-pgp`, generate or import keys for the client qube `dev`:
```sh
mkdir -p ~/.gnupg/split-gpg/dev
gpg --homedir ~/.gnupg/split-gpg/dev --import /path/to/secret.key
gpg --homedir ~/.gnupg/split-gpg/dev --list-secret-keys
```

On the qube `dev`, import the public part of your key:
```sh
gpg --import /path/to/public.key
```

0 comments on commit 1a72665

Please sign in to comment.