-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, Nov 29, 2015 at 10:03:47AM -0500, Konstantin Ryabitsev wrote:
> On Sun, Nov 29, 2015 at 03:43:40PM +0100, Marek Marczykowski-Górecki wrote:
> > In case of GnuPG(-enabled cards), you can (probably) use split gpg for
> > that - simply have backend in USB VM and configure gpg there to use
> > smartcard.
>
> Does qubes gpg agent support using GnuPG's Auth key for ssh? It wasn't
> obvious from reading about split-gpg.
It's just a wrapper around gpg, with some whitelist for options. If that
works with just normal gpg, it should also work with split-gpg. But if
that's about gpg agent (not main gpg itself), it probably wont. In that
case, take a look at split-gpg2 - which does the same at gpg agent
protocol level:
https://github.com/QubesOS/qubes-issues/issues/474#issuecomment-156885755
> > But it probably won't work for generic x509 certs handling. Unless
> > someone made pkcs11 module which uses gpg as a backend (which could be
> > replaced by split gpg then).
> >
> > Anyway, given a lot of security problems with USB, it's better to use
> > split gpg with offline VM as a backend, instead of gpg with smartcard.
> > Think of it: while it's (probably) true that your private key wouldn't
> > be stolen when stored on smartcard, your USB VM has ultimate control
> > over its usage. PIN protection gives you nothing, because it can be
> > easily sniffed.
>
> I would have agreed with you until recently, but the latest crop of
> yubikeys supports "require touch for operation" functionality. Even if
> the yubikey is connected to my port and you know the PIN, you can't use
> it unless I also touch the button within 30 seconds of the request. I
> believe this is similar to the advantages you get with split-gpg
> regarding protecting encrypted data vs. just the private keys.
Indeed this somehow improves the situation. You still don't know what
you are signing, but this problem isn't solved by split gpg either (it
isn't implemented, but in theory it is possible to have some preview of
what you're are really going to sign). Similar about decryption - it may
be possible to decrypt the data and view it in some isolated DispVM,
instead of passing back to the source VM.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWWxhoAAoJENuP0xzK19csoy4H/3osFlgz6n92pc8gTu/EjVbm
mBEKM/9p5qyR04RvriiiPM1onB7jRfCXQmTETprdsZaKezqJO4ABcPXqy4UU7Xar
PtOQOTDIQpPbl7QiRp59gjbkdDuRb77HfyacZuj+BRL1SOqg9a7z7MWSQ8dMc59t
dQPYsYyqycsNf3P4Q6HmVEAnriNzQMJ5EjnbUH9hsqlGHtT6Fbkz788cHvdKI8Cr
I1CaPSmUDhgte/tKNvERS0IrQx/7Du+bqXvwxjoZ/Dy8+4+D1oGva+dCgvDyZp7C
G1bfUhq6BitwRqZPZC7HNAo+zzfoew3QU/jNyy9orcoIFW5Jky07GQEpg0Dg4rI=
=tqTk
-----END PGP SIGNATURE-----