Commit 2b90d678 authored by Clark's avatar Clark
Browse files

Adding split GPG detail, first test on bc-dev

parent 3a8b97b6
......@@ -245,7 +245,6 @@ enum "fed30-dvm" as fedora_dvm {
class "public-social" as public_social {
{static} TemplateVM <deb10-social>
{static} NetVM <sys-whonix>
{method} +[[ Emacs]]
{method} #Zoom
{method} #Discord
{method} #Element
......@@ -353,6 +352,7 @@ abstract "deb10-email" as debian_email {
abstract "deb10-social" as debian_social {
{method} +[[ Emacs]]
{method} #Zoom
{method} #Slack
{method} #Element
......@@ -434,7 +434,7 @@ fedora <.. fedora_gpg_vault
ubuntu <.. ubuntu_ws
* TODO Custom VMs
......@@ -557,10 +557,10 @@ Type=Application
On =dom0=, add a policy for the ssh agent.
On =dom0=, update =/etc/qubes-rpc/policy/qubes.SshAgent= file so that it contains only the following.
echo "bytecache-dev bytecache-ssh-vault ask,default_target=bytecache-ssh-vault" > /etc/qubes-rpc/policy/qubes.SshAgent
bytecache-dev bytecache-ssh-vault ask,default_target=bytecache-ssh-vault
Now from =bytecache-dev=, perform the following steps.
......@@ -610,9 +610,62 @@ sudo dnf install qubes-gpg-split
Create a new AppVM, =bytecache-gpg-vault= from the =fed30-gpg-vault= template to store the private keys, then create them.
gpg --full-generate-key
List the keys using =gpg -K=.
I'll use this key for 2 purposes: signing git commits (e.g., from =bytecache-dev=), and signing/verifying email (e.g., from =bytecache-email=).
** GPG for git
From the key /user/, in this instance =bytecache-dev=, create the =.gitconfig= file below to apply to all repos. Replace the user content as needed, where /signingkey/ is the pubkey ID.
bash -c 'cat <<EOT >> ~/.gitconfig
name = Clark
email =
signingkey = 22CC7B5065698784F109C58F958C0DD1FCC7CFB2
program = qubes-gpg-client-wrapper
gpgsign = true
EOT' && \
sudo bash -c 'cat <<EOT >> /rw/config/gpg-split-domain
EOT' && \
bash -c 'cat <<EOT >> ~/.bashrc
# For split GPG
On =dom0=, update =/etc/qubes-rpc/policy/qubes.Gpg= file so that it contains only the following.
bytecache-dev bytecache-gpg-vault ask,default_target=bytecache-gpg-vault
Restart =bytecache-gpg-vault= and =bytecache-dev=.
After restarting, test the split GPG vault by exporting the public key, which can then be provided to Gitlab (or Github), replacing the pub-key ID below with your own.
qubes-gpg-client --armor --export 22CC7B5065698784F109C58F958C0DD1FCC7CFB2
** TODO GPG for Thunderbird
* TODO Install software
** TODO Wazuh Agent - Endpoint Security
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment