I updated templates and dom0 today and rebooted computer. Now when I try to look at encrypted email I am prompted to enter my gpg key password every time I look at an encrypted email. Also if I look at an encrypted email, go to a different program and then tab back to thunderbird I am immediately asked for gpg key password for the email I was looking at.
Another problem I discover. If a PGP/MIME email has an attachment. I try open it asks for password to open it. Put correct password in and it just ask again and again and again :(
++Cubit
I recommend disabling your key's passphrase (i.e., using a blank
passphrase).
This is disappointing to hear. Removing the password sounds like a kludge than a fix to something that had been working okay.
I understand the model does not technically need a password but it is something I want (rightly or rongly) and it was working okay since R3.0 which to me indicates that it can work and just something broke.
The reasoning can be found throughout the document (search for
"passphrase").
I do and see that it is optional which should mean it works. From the page you say:
> > "Therefore, using a passphrase at all should be considered optional."
If it is not supposed to work or is not supported it should be said "do not use passphrase with key" instead of saying "is optional" as this lead people to understand that while not needed it works.
You're also ignoring the part that I quoted for you previously. Here
it is again:
"You may experience trouble when attempting to use a PGP key with a
passphrase along with Split-GPG and Enigmail. If you do, you may need
to remove the passphrase from your (sub)key(s) in order to get
Split-GPG working correctly. As mentioned above, we do not believe PGP
key passphrases to be significant from a security perspective."
What this means for you:
You're experiencing trouble when attempting to use a PGP key with a
passphrase along with Split-GPG and Enigmail, so you may need to
remove the passphrase from your (sub)key(s) in order to get Split-GPG
working correctly.
I do not want to come across rude but that's not how I see it. I was using passphrase fine over several releases and it just stop working for a reason I have yet to find out why.
Removing the password is not a fix it is a kludge or work around. A fix is getting it back to its previous working state with password use intact.
If passphrase use is so seeming temperamental that you have to offer this kludge, it should be said do not use!
I recommend disabling your key's passphrase (i.e., using a blank
passphrase).
Some frustrating experiments later....
+ Changing my vault VM to fedora24
- It remembers the keys password but does not honor the timeout settings, it always reprompts at 5 minutes despite "export QUBES_GPG_AUTOACCEPT=86400" being in .bash_profile
- Removing the password from my subkeys and it still prompts for a password and only works with the password I removed, not blank. interacting with gpg on command line shows that the password does not exist all signing / decryption is automatic
Any reasons for the above behavior?
+ then changing vault VM back to debian 8
- password removed and I can now read email and attachments without being bothered when looking at each and every email.
+ Changing my vault VM to fedora24
- It remembers the keys password but does not honor the timeout settings, it always reprompts at 5 minutes despite "export QUBES_GPG_AUTOACCEPT=86400" being in .bash_profile
Hmm, it works for me...
- Removing the password from my subkeys and it still prompts for a password and only works with the password I removed, not blank. interacting with gpg on command line shows that the password does not exist all signing / decryption is automatic
Any reasons for the above behavior?
Make sure you use gpg2, not gpg.
I'm also facing the same problem. The split-gpg no longer caches the password through the set timeout on the QUBES_GPG_AUTOACCEPT variable.
I also don't want to remove the password from my private key since I used it in different devices and I don't want to use a different template as I have many things installed on my debian 8 template.
This stopped worked recently after an upgrade. Is there any way that this could be restored in the same state as it was working before?
In addition, does anyone knows how can one use the latest version of enigmail with thunderbird? The only working version of enigmail is 1.8.2 (it seems that this is a limitation from the split-gpg).
Thank you
----
Sent using Guerrillamail.com
Block or report abuse: https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D
Since I'm running out of ideas or experiments in order to have the gpg cache working again, I'll probably consider to change my template vm from debian-8 to fedora-24 (possible the minimal). Before I do that, I'd like to know from the qubes community which kind of security setup is the most advisable for the vault and icedove/thunderbird ?
Many thanks
Key is protected with a passphrase
Works fine for me with the default fedora-24 template.
Between fedora-24 or fedora-24-minimal, which one is more recommended in a security perspective? What I mean is, using the standard fedora template with all apps installed on it advisable or is it preferable to use a dedicated template or a minimal bare bone template to diminish the surface attack?
Before the update was working fine with the password. Now the QUBES_GPG_AUTOACCEPT is no longer respect as one have to type in the password every single time. With all due respect, you are not trying to convert a bug into a feature and claiming that this is the expected behavior, right ?
The minimal template has a smaller attack surface in general, but it
doesn't come with Split GPG pre-installed. There is probably not a
significant difference, since the Split GPG protocol tightly controls
inter-VM data transfer. There is no general recommendation here, since
the degree to which the full vs. minimal template attack surface
matters depends on your threat model. For some people, it makes more
sense to save the disk space by not having an extra minimal template
for it.
Thank in that case I'll opt to choose the fedora 24 normal template.