PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2025-02-20 18:31:35 -05:00
Code

Update link to community guide

Browse Source 
Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>
This commit is contained in:
friendly-rabbit-35 2024-05-25 21:01:33 +00:00 committed by GitHub
parent d55082f4ac
commit 6e4c603fd3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 4 additions and 4 deletions

8
content/posts/qubes/Using Split GPG and Split SSH on Qubes OS.md
View File

@ -13,15 +13,15 @@ This post will go over setting up Split GPG, then setting up Split SSH with the
Follow the official Qubes OS [documentation](https://www.qubes-os.org/doc/split-gpg/) to set this up.
Note that if you already have a PGP key with a passphrase, you can remove it by installing `pinentry-gtk` to `vault`'s TemplateVM, then do `gpg2 --edit-key <key_id>` and `passwd` to set an empty passphrase. The default non-graphical pinentry will just make an infinite loop and will not allow you to set an empty passphrase.
Note that if you already have a PGP key with a passphrase, you can remove it by installing `pinentry-gtk` to `vault`'s TemplateVM, then run `gpg2 --edit-key <key_id>` and `passwd` to set an empty passphrase. The default non-graphical pinentry will just make an infinite loop and will not allow you to set an empty passphrase.
## Split SSH
This part is based on the Qubes Community's [guide](https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/split-ssh.md); however, I will deviate from it to use the PGP keys for SSH instead of generating a new key pair.
This part is based on the Qubes Community's [guide](https://forum.qubes-os.org/t/split-ssh/19060); however, I will deviate from it to use the PGP keys for SSH instead of generating a new key pair.
### In `dom0`
- Create `/etc/qubes-rpc/policy/qubes.SshAgent` with `@anyvm @anyvm ask,default_target=vault` as the content. Since the keys ar not passphrase protected, you should **not** set the policy to allow.
- Create `/etc/qubes-rpc/policy/qubes.SshAgent` with `@anyvm @anyvm ask,default_target=vault` as the content. Since the keys are not passphrase protected, you should **not** set the policy to allow.
### In `vault` AppVM
- Add `enable-ssh-support` to the end of `~/.gnupg/gpg-agent.conf`
@ -83,4 +83,4 @@ fi
- Restart `ssh-client` and confirm if it's working with `ssh-add -L`.
### Limitations
A malicious `ssh-client` AppVM can hold onto the ssh-agent connection for more than one use until it is shut down. While your private key is protected, a malicious actor with access to the AppVM can still abuse the ssh-agent to log into your servers.
A malicious `ssh-client` AppVM can hold onto the ssh-agent connection for more than one use until it is shut down. While your private key is protected, a malicious actor with access to the AppVM can still abuse the ssh-agent to log into your servers.