This may also be inadvisable if there are multiple app qubes with Split GPG set up. Note that, because this makes it easier to accept Split GPG’s qrexec authorization prompts, it may decrease security if the user is not careful in reviewing presented prompts. This file survives the app qube reboot, of ask,default_target=work-gpg The qubes-gpg-client-wrapper script sets the QUBES_GPG_DOMAIN variable automatically based on the content of the file /rw/config/gpg-split-domain, which should be set to the name of the GPG backend VM. If you encounter trouble while trying to set up Split GPG, make sure you’re using gpg2 for your configuration and testing, since keyring data may differ between the two installations. Throughout this guide, we refer to gpg, but note that Split GPG uses gpg2 under the hood for compatibility with programs like Enigmail (which now supports only gpg2). Note that running normal gpg -K in the demo above shows no private keys stored in this app qube. Uid Qubes OS Security Team ssb 4096R/30498E2A ~]$ qubes-gpg-client secret_ In dom0, make sure the qubes-gpg-split-dom0 package is ~]$ export QUBES_GPG_DOMAIN ~]$ gpg -K ~]$ qubes-gpg-client -K /home/user/.gnupg/secring.gpg
This way it would be easy to spot unexpected requests to decrypt documents.
A NEW VERSION GPG SUITE IS AVAILABLE HOW TO SHUT OFF DIALOG PLUS
With Qubes Split GPG this problem is drastically minimized, because each time the key is to be used the user is asked for consent (with a definable time out, 5 minutes by default), plus is always notified each time the key is used via a tray notification from the domain where GPG backend is running. Unfortunately this problem of signing reliability is not solvable by Split GPG) (Similarly the smart card doesn’t make the process of digitally signing a document or a transaction in any way more secure – the user cannot know what the chip is really signing. In other words, while protecting the user’s private key is an important task, we should not forget that ultimately it is the user data that are to be protected and that the smart card chip has no way of knowing the requests to decrypt documents are now coming from the attacker’s script and not from the user sitting in front of the monitor. However, there is usually nothing that could stop the attacker from requesting the smart card to perform decryption of all the user documents the attacker has found or need to decrypt. While this might be true (unless the attacker can find a usually-very-expensive-and-requiring-physical-presence way to extract the key from the smart card) but only with regards to the safety of the private key itself. It is often thought that the use of smart cards for private key storage guarantees ultimate safety. This diagram presents an overview of the Split GPG architecture. (We should make a rather obvious comment here that the so-often-used passphrases on private keys are pretty meaningless because the attacker can easily set up a simple backdoor which would wait until the user enters the passphrase and steal the key then.) This way the compromise of your domain where Thunderbird or another client app is running – arguably a not-so-unthinkable scenario – does not allow the attacker to automatically also steal all your keys. the one where Thunderbird is running, can delegate all crypto operations – such as encryption/decryption and signing – to another, more trusted, network-isolated domain. Split GPG implements a concept similar to having a smart card with your private GPG keys, except that the role of the “smart card” is played by another Qubes app qube.
0 kommentar(er)
