MINI.V2 and QUBES - Walkthrough #2 - GPG, SPLIT-GPG

Since security is a big reason for using Qubes you may want to implement this method.
(Comments and suggestions are greatly desired. I’m new to implementing this.)

IMPLEMENTING SPLIT-GPG
Read thru this: https://www.qubes-os.org/doc/split-gpg/
Also read Chapter 8 of https://www.gnupg.org/faq
And sections of the older “GNU Privacy Handbook”: https://www.gnupg.org/gph/en/manual.html

CREATE backend “gpg” vm and configure it.
Open the Qube Manager, right click on the vault qube and clone it. Name it gpg .
I will keep passwords and secure docs in the vault vm and my gpg keys in the gpg vm.
Make sure the qubes-gpg-split-dom0 package is installed.
Open a dom0 command line (the Terminal Emulator) and query packages with the following:
$ rpm -qa qubes-gpg-split-dom0*
If the package is installed it will show as the result (with version info included in the name). Now close the Terminal Emulator.
Open a terminal in the new gpg vm and test for a similar package there, but leave out the “dom0”:
$ rpm -qa qubes-gpg-split*

CREATE your public and private Master Key
$ gpg --full-gen-key

choose 1 for RSA/RSA
set key size to 4096
set expiration to 0 (never expires, can set expiration on sub keys later)
enter real name , email address, and comment (if you choose).
Type o for OK to accept. Then wiggle the mouse and hit some keys to make the key generated more random.
Your Master Key is created.
Test it by displaying it:
$ gpg -k
You should see the keys in your keyring.

CREATE your revocation certificate
Still in the gpg qube:
$gpg --armor --output revoke.asc --gen-revoke [your key id]
Copy revoke.asc to a secure place (print, usb, and put in safe) then delete it from the vm.

SELF-SIGN your public key
$gpg --edit-key [name or email associated with key]
The prompt will change to: gpg>
gpg> sign
It may already be signed, but if not say yes since it is your own key.

SET TRUST level for your own key
$gpg --edit-key [name or email associated with key]
The prompt will change to: gpg>
gpg> trust
Enter 5 for ultimate trust since it is your own key.
Read up on trust, levels, and the web of trust in the “GNU Privacy Handbook” linked above.

BACKUP your keys (master, private, revoke)
Very important to read “Protecting your private key” in the “GNU Privacy Handbook”.
One way is to back up the whole ~/.gnupg folder to a usb and secure it in a safe.
If you do that, make sure to copy the revocation certificate produced above also.
Another way is to export them to ascii files and secure them as above.
$gpg --armor --output MYprivkey.sec --export-secret-key [name or email associated with key]
Note the file ends in .sec (I guess to denote secret, but it’s still human readable.)
$gpg --armor --output MYpublickey.asc --export [name or email associated with key]
Note file ends in .asc (for ascii)
And if you use subkeys for some reason:
$gpg --armor --output MYsubkey.sec --export-secret-subkeys [name or email associated with key]
Once you have backed up the keys and your revocation certificate, make sure to delete them all from your harddrive. It is not safe to leave them in readable format anywhere.

CREATE gpg.conf file
This is not required.
Create a file called gpg.conf and put it in the /.gnupg folder of the gpg vm.
I found something like the following online:
NOTE: the forum editor automatically formats based on hashtags. So I had to put in single parenthesis first to show the hashtags, (which denote comments of course).

'# - - - - - - Take out the single parenthesis if you copy and paste - - - - -
'# Use full 16-char key IDs, not short 8-char IDs.
keyid-format long

'# Use global keyserver network for certificate lookups.
'# (There’s a North America server and a TOR server also).
'# And whenever I send or receive something to/from the keyserver network, clean up what I get/send.
keyserver pool.sks-keyservers.net
keyserver-options import-clean-sigs import-clean-uids export-clean-sigs export-clean-uids

'# If I don’t specifically state which certificate to use, use this one.
'# default-key ################

'# Always include signatures from from these two certificates.
'# local-user ################

'# Always add these two certificates to my recipients list.
'# encrypt-to ################

'# Turn “From” into “> From” in order to play nice with UNIX mailboxes.
escape-from-lines

'# Prefer strong hashes when possible.
personal-digest-preferences SHA256 SHA384 SHA512
'# Note, I had to remove these hashes because failed: RIPMED320 RIPMED160

'# Prefer more modern ciphers over older ones.
personal-cipher-preferences CAMELLIA256 AES256 TWOFISH CAMELLIA192 AES192 CAMELLIA128 BLOWFISH CAST5 3DES

'# Turn up compression level and prefer BZIP2 over ZIP and ZLIB (default=6,highest=9).
bzip2-compress-level 8
compress-level 8
personal-compress-preferences BZIP2 ZIP ZLIB
'# - - - - - - - - - -
CONFIGURE FRONTEND to use split-gpg’s backend vm
Assuming we use the personal qube for email, open a terminal in the personal vm:
$ export QUBES_GPG_DOMAIN=gpg
Test this as the link above shows:
$ gpg - k
It will show an empty keyring, created but no keys. (you can delete that local .gnupg folder if you want)
Now enter:
$ qubes-gpg-client - k
You will be prompted for your back end gpg vm. Enter gpg and it will show you the Master Key you just made.
You may want to add an alias for that command to any vm’s that will use gpg. Something like “qgpg” or “gpgb” (b for backend).
Now we have to make this usability persist after reboot.
$ sudo bash
# echo “gpg” > /rw/config/gpg-split-domain
# exit
You will need to do this for each vm using gpg.
Cloning a qube does retain this. But be careful to be aware of all the functions you are cloning to a new vm.

USING GPG
You will want to distribute your public key to associates.
My review list includes reading “Distributing keys” at the end of Ch.3 in the “GNU Privacy Handbook”. (keyservers)
Also read Ch.4 “Daily use of GnuPG”

IMPORT OTHER KEYS
Read here: https://www.qubes-os.org/security/verifying-signatures/
In future you may need to verify Qubes downloads and releases. You may already have the qubes-master-signing-key (secured) from when you verified your Qubes ISO download.
Verify it again and import it into your keyring.
And set the trust level to 5 (since you have verified it).
$ gpg –edit-key [enter key here] (this will change your prompt)
> fpr (to visually verify the fingerprint one more time)
> trust
enter 5 (for ultimate trust, only since you have truly verified it)
> quit

Ok, that’s as far as I’ve got.
Next up would be to configure Thunderbird and other apps detailed here:

2 Likes