OpenPGP in QubesOS

1,408 views
Skip to first unread message

Alex

unread,
Aug 6, 2013, 7:53:14 PM8/6/13
to qubes...@googlegroups.com
What is the canonical usage method for OpenPGP in QubesOS?

Is split PGP ready, or is it WIP and right now the best we can do is use GPG as in any Linux system?

Alex

Joanna Rutkowska

unread,
Aug 7, 2013, 5:02:21 AM8/7/13
to Alex, qubes...@googlegroups.com
signature.asc

Alex

unread,
Aug 7, 2013, 9:54:48 AM8/7/13
to qubes...@googlegroups.com, Alex

I take this to mean

- Split GPG is work in progress - aiming to be part of QubesOS Release 3
- As of now (Aug 2013) the best QubesOS users can do is use GPG as they would on any GNU/Linux system.

-A

Joanna Rutkowska

unread,
Aug 7, 2013, 10:56:39 AM8/7/13
to Alex, qubes...@googlegroups.com
Actually, the best a Qubes user might do, is to... submit some patches
to make real Split GPG working as described in the ticket :)

joanna.


signature.asc

Joanna Rutkowska

unread,
Aug 7, 2013, 10:58:35 AM8/7/13
to Alex, qubes...@googlegroups.com
But generally, even if you don't use split GPG, Qubes OS still offers
some advantages, such as e.g. you can generate and keep the master key
in your "vault" AppVM (e.g. network disconnected) and use it to sign
your short-term keys that are to be kept in normal AppVMs. The key
export could be then done easily via qvm-copy-to-vm (but *never* import
keys to your super-secret vault AppVM, only export from it!).

joanna.


signature.asc

Alex

unread,
Aug 8, 2013, 3:44:03 PM8/8/13
to qubes...@googlegroups.com, Alex

That sounds like reasonably secure and not too unusable. Can you point me to any decent HOWTO online on the steps required to achieve this offline-long-term-key and exposed-short-term-keys setup?

-A

Joanna Rutkowska

unread,
Aug 8, 2013, 4:57:20 PM8/8/13
to Alex, qubes...@googlegroups.com
Take a look at the regular GnuPG docs, they talk there about a scenario
with using a separate machine for your long-term keys, IIRC.

j.


signature.asc

Alex

unread,
Aug 9, 2013, 10:32:26 AM8/9/13
to qubes...@googlegroups.com

So the docs under http://gnupg.org/documentation/howtos.en.html do not explicitly cover this scenario - the closest one is the smartcard HOWTO, but it's convoluted.

I found https://alexcabal.com/creating-the-perfect-gpg-keypair/ which I think describes the scenario you have in mind. Just treat your less-trusted AppVMs as the "laptop" of the blog post. Appears to work ok, not sure about keysigning, interaction with keyservers etc. If I ever understand how this whole mess works, I might even do a writeup. Just so that I never, ever have to figure this out again!

-A

Abel Luck

unread,
Aug 9, 2013, 1:15:37 PM8/9/13
to qubes...@googlegroups.com
Alex:
'
I maintain a document that describes how to do this:
https://gist.github.com/abeluck/3383449

It is not Qubes OS specific, and in fact assumes you want to use a
smartcard, which might not be the case, so skip those bits.

Also, use your vault vm instead of booting into an offline livecd as
described.

~abel

Alex

unread,
Aug 15, 2013, 3:30:31 AM8/15/13
to qubes...@googlegroups.com, ab...@guardianproject.info

Thanks for this abel - I see that figuring out how to sign other people's keys is on the TODO list :-)

I have a setup that works for me now, but it seems that signing other people's keys and uploading to the keyserver will be a long and tricky process... Is anyone using this setup on a day to day basis and can advise on how to make signing other people's keys reasonably usable?

Alex

ix4...@gmail.com

unread,
Aug 15, 2013, 5:24:51 AM8/15/13
to qubes...@googlegroups.com, Abel Luck, Joanna Rutkowska
On 15 August 2013 08:30, Alex <ix4...@gmail.com> wrote:


On Friday, August 9, 2013 6:15:37 PM UTC+1, Abel Luck wrote:
Alex:
<snip>
> I found https://alexcabal.com/creating-the-perfect-gpg-keypair/ which I
> think describes the scenario you have in mind. Just treat your less-trusted
> AppVMs as the "laptop" of the blog post. Appears to work ok, not sure about
> keysigning, interaction with keyservers etc. If I ever understand how this
> whole mess works, I might even do a writeup. Just so that I never, ever
> have to figure this out again!
>

I maintain a document that describes how to do this:
https://gist.github.com/abeluck/3383449

It is not Qubes OS specific, and in fact assumes you want to use a
smartcard, which might not be the case, so skip those bits.

Also, use your vault vm instead of booting into an offline livecd as
described.

~abel

Thanks for this abel - I see that figuring out how to sign other people's keys is on the TODO list :-)

I have a setup that works for me now, but it seems that signing other people's keys and uploading to the keyserver will be a long and tricky process... Is anyone using this setup on a day to day basis and can advise on how to make signing other people's keys reasonably usable?

I think we're getting closer here - http://www.macfreek.nl/memory/Convert_GPG_keys_to_subkeys describes a setup that seems quite usable with a traditional OS and a USB key.

But, that method requires
(a) networking from "vault"
(b) mounting "vault"'s filesystem from an untrusted day-to-day AppVM

Both of these are no-no's in QubesOS

https://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups/#Paying_the_Orks_a_visit comes closer to a QubesOS setup, as it talks about a properly isolated environment (similar to the QubesOS vault), but does not explain what to do after you've signed someone else's key. How do you update your regular day-to-day keyring so that it knows the public key you signed is now trusted?

Alex

Joanna Rutkowska

unread,
Aug 15, 2013, 5:43:56 AM8/15/13
to ix4...@gmail.com, qubes...@googlegroups.com, Abel Luck
On 08/15/13 11:24, ix4...@gmail.com wrote:
> On 15 August 2013 08:30, Alex <ix4...@gmail.com> wrote:
>
>>
>>
>> On Friday, August 9, 2013 6:15:37 PM UTC+1, Abel Luck wrote:
>>>
>>> Alex:
>>> <snip>
>>>> I found https://alexcabal.com/**creating-the-perfect-gpg-**keypair/<https://alexcabal.com/creating-the-perfect-gpg-keypair/>which I
>>>> think describes the scenario you have in mind. Just treat your
>>> less-trusted
>>>> AppVMs as the "laptop" of the blog post. Appears to work ok, not sure
>>> about
>>>> keysigning, interaction with keyservers etc. If I ever understand how
>>> this
>>>> whole mess works, I might even do a writeup. Just so that I never, ever
>>>> have to figure this out again!
>>>>
>>>
>>> I maintain a document that describes how to do this:
>>> https://gist.github.com/**abeluck/3383449<https://gist.github.com/abeluck/3383449>
>>>
>>> It is not Qubes OS specific, and in fact assumes you want to use a
>>> smartcard, which might not be the case, so skip those bits.
>>>
>>> Also, use your vault vm instead of booting into an offline livecd as
>>> described.
>>>
>>> ~abel
>>>
>>
>> Thanks for this abel - I see that figuring out how to sign other people's
>> keys is on the TODO list :-)
>>
>> I have a setup that works for me now, but it seems that signing other
>> people's keys and uploading to the keyserver will be a long and tricky
>> process... Is anyone using this setup on a day to day basis and can advise
>> on how to make signing other people's keys reasonably usable?
>>
>
> I think we're getting closer here -
> http://www.macfreek.nl/memory/Convert_GPG_keys_to_subkeys describes a setup
> that seems quite usable with a traditional OS and a USB key.
>
> But, that method requires
> (a) networking from "vault"
> (b) mounting "vault"'s filesystem from an untrusted day-to-day AppVM
>
> Both of these are no-no's in QubesOS
>
I think such assumptions are no-no's in any reasonable environment
(including air-gapped). A vault that is network-connected is... not a
vault really. A vault whose filesystem is accessible by untrusted
entities... come on, is it a joke, or something?

> https://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups/#Paying_the_Orks_a_visitcomes
> closer to a QubesOS setup, as it talks about a properly isolated
> environment (similar to the QubesOS vault), but does not explain what to do
> after you've signed someone else's key. How do you update your regular
> day-to-day keyring so that it knows the public key you signed is now
> trusted?
>

The problem is that the gpg in the vault should not be forced to process
any external (so untrusted) input. Copying somebody's else key there is
just breaking of all the security model that a air-gapped gpg can
provide to you.

So, generally not only you should not try to sign other keys in your
vault, you should not even import them there. More thoughts on this in
the ticket description and the thread linked from there:

http://wiki.qubes-os.org/trac/ticket/474

joanna.

signature.asc

Abel Luck

unread,
Aug 15, 2013, 11:00:52 AM8/15/13
to Alex, qubes...@googlegroups.com
Alex:
For now, as Joanna stated, I don't sign other people's keys. I don't
like to use the public WOT (keyservers) anyways.

In the one or two cases where I really did need to sign another key, I
made a duplicate of my USB key, using dd, that contains my "clean room"
OS and an encrypted partition with my master key. Then I booted, signed
the key in question, exported it via another usb stick or sd card, and
finally, destroyed the duplicate USB key.

The computer that I was booting on had it's networking hardware removed.

~abel

ix4...@gmail.com

unread,
Aug 21, 2013, 8:52:18 AM8/21/13
to qubes...@googlegroups.com, Abel Luck, Joanna Rutkowska
Please review & let me know for any holes in this QubesOS-specific writeup:
https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/

The one bug of this approach I'm aware of is that initial key generation should happen in the vault, with the less-trusted keyring transferred to the less trusted networked AppVM. I realised that after doing most of the work and now haven't got time to fix it until September.

The other bug I'm well aware of is that this setup doesn't offer any anonymity, since the spooks primarily care about relationships between people, which PGP doesn't protect, but hey, let's focus on doing the best we can with the tools we have here.

-A

Axon

unread,
Oct 3, 2013, 8:21:21 PM10/3/13
to ix4...@gmail.com, qubes...@googlegroups.com, Abel Luck, Joanna Rutkowska
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,

I created a wiki page on using OpenPGP in Qubes. It can be found here:
qubes-os.org/trac/wiki/UserDoc/OpenPGP

Please let me know if you have any corrections.

- -Axon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSTgnjAAoJEERNzbAJEhOEQ0QP/1cnx/DabYhFzqI4fzPdME/M
yH1AP4Z4rCofk/Rx/4xxDXbAPEE2QeqsLI8UMcMZwbk7aHDn9CFRFSvONoI+jeVS
UwARe6N1fb1bHMlosIg5OmQBUx4h9QcYeVEy5cVOGPNEv1MHDZC6T9UaIRnyqGIR
3jYm9FGLuQFXOgKng5CMFihFWE6a4lfgJjrdpfS99cIv8sp0VYdKbDJ2WL15LHUN
oCPsq9Kwa5tYfbCIwQ9x+FJXrIGZ7Esza0jnRoRZruP6dH0jCgH7v03W5oYXmULb
dIEIJLjwrUdKtbJREZVDM0AKUsOso/kCPVYE3u2WyY8Lw1MTHK+rKGOj8dX0v0jG
PlMQn6JMAXCS2fo5bnvX/aCPjHY61aJLfHL0v1Iupz28/4OXCNNQzqpNPZ9LVbxz
HokqcPr9eNzMdIpI4v2UefKvew1aJdfy5HyY98ypiurIrlqNA9+bN855A//psPgw
TJx4p9PnOhZ9wRLml6DBFwqIr8r3WaxaTyx9w5xVMD1qIfmaUynPDKyMlZjqNlte
wrh9i0DlVozl+ARTZbpDj37OmcYcA55hng/upet7692GL+u5TPDGBod2jv3iu03R
onvM03fuWKDCAo0rQgcPPgRqqfcNUv1aK7wpoXhogygzwPrjXd/l20A0rOA2xeDA
obTzTUa266Kv5WjW8hRx
=XH+o
-----END PGP SIGNATURE-----

Alex

unread,
Oct 4, 2013, 9:01:45 AM10/4/13
to qubes...@googlegroups.com, Abel Luck, Joanna Rutkowska

<snip>

This has now been fixed:
- Key generation is done in the vault.
- A "lesser" keyring is generated in the vault and then exported to networked AppVMs.
- At no point does the certification key leave the vault.
- No untrusted input is processed by the vault.
- The vault is not networked.

I've updated the documentation in https://qubes-os.org/trac/wiki/UserDoc/OpenPGP to reflect that.

Please read/debug the writeup at https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/ :-)

One minor bug is that key IDs are not consistent throughout the writeup because I did this with two sets of keys, but I doubt anyone will notice - may do some sed'ing to fix it next time I have some time to work on this.

Alex
Reply all
Reply to author
Forward
0 new messages