Commit 2b90d678 authored by Clark's avatar Clark
Browse files

Adding split GPG detail, first test on bc-dev

parent 3a8b97b6
......@@ -245,7 +245,6 @@ enum "fed30-dvm" as fedora_dvm {
class "public-social" as public_social {
{static} TemplateVM <deb10-social>
{static} NetVM <sys-whonix>
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#emacs Emacs]]
{method} #Zoom
{method} #Discord
{method} #Element
......@@ -353,6 +352,7 @@ abstract "deb10-email" as debian_email {
}
abstract "deb10-social" as debian_social {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#emacs Emacs]]
{method} #Zoom
{method} #Slack
{method} #Element
......@@ -434,7 +434,7 @@ fedora <.. fedora_gpg_vault
ubuntu <.. ubuntu_ws
#+end_src
#+RESULTS[c2567d1ef280c0f150b6e389f16da7f334cf0aa0]:
#+RESULTS[c7a677c5bcfff23f003eb68e924d1e5c1af5fd10]:
[[file:img/Qubes-VM-architecture.svg]]
* TODO Custom VMs
......@@ -557,10 +557,10 @@ Type=Application
EOT'
#+END_SRC
On =dom0=, add a policy for the ssh agent.
On =dom0=, update =/etc/qubes-rpc/policy/qubes.SshAgent= file so that it contains only the following.
#+BEGIN_SRC sh
echo "bytecache-dev bytecache-ssh-vault ask,default_target=bytecache-ssh-vault" > /etc/qubes-rpc/policy/qubes.SshAgent
bytecache-dev bytecache-ssh-vault ask,default_target=bytecache-ssh-vault
#+END_SRC
Now from =bytecache-dev=, perform the following steps.
......@@ -610,9 +610,62 @@ sudo dnf install qubes-gpg-split
Create a new AppVM, =bytecache-gpg-vault= from the =fed30-gpg-vault= template to store the private keys, then create them.
#+BEGIN_SRC sh
...
gpg --full-generate-key
#+END_SRC
List the keys using =gpg -K=.
I'll use this key for 2 purposes: signing git commits (e.g., from =bytecache-dev=), and signing/verifying email (e.g., from =bytecache-email=).
** GPG for git
From the key /user/, in this instance =bytecache-dev=, create the =.gitconfig= file below to apply to all repos. Replace the user content as needed, where /signingkey/ is the pubkey ID.
#+BEGIN_SRC sh
bash -c 'cat <<EOT >> ~/.gitconfig
[user]
name = Clark
email = clark@bytecache.io
signingkey = 22CC7B5065698784F109C58F958C0DD1FCC7CFB2
[gpg]
program = qubes-gpg-client-wrapper
[commit]
gpgsign = true
EOT' && \
sudo bash -c 'cat <<EOT >> /rw/config/gpg-split-domain
bytecache-gpg-vault
EOT' && \
bash -c 'cat <<EOT >> ~/.bashrc
# For split GPG
QUBES_GPG_DOMAIN="bytecache-gpg-vault"
QUBES_GPG_AUTOACCEPT=2880
EOT'
#+END_SRC
On =dom0=, update =/etc/qubes-rpc/policy/qubes.Gpg= file so that it contains only the following.
#+BEGIN_SRC sh
bytecache-dev bytecache-gpg-vault ask,default_target=bytecache-gpg-vault
#+END_SRC
Restart =bytecache-gpg-vault= and =bytecache-dev=.
After restarting, test the split GPG vault by exporting the public key, which can then be provided to Gitlab (or Github), replacing the pub-key ID below with your own.
#+BEGIN_SRC sh
qubes-gpg-client --armor --export 22CC7B5065698784F109C58F958C0DD1FCC7CFB2
#+END_SRC
** TODO GPG for Thunderbird
* TODO Install software
** TODO Wazuh Agent - Endpoint Security
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment