From b84107ce7977bd3bab441924eebc797a24d4b123 Mon Sep 17 00:00:00 2001 From: Fidel Ramos Date: Tue, 16 Oct 2018 19:01:41 +0000 Subject: [PATCH] Document Split GPG error Split GPG doesn't work when the private key is protected by a passphrase in the GPG backend. It took me a couple hours to find the problem and how to fix it, first because the ioctl error is not common and then because of the pinentry-ncurses limitation. I'm hoping that future users that search for "qubes gpg ioctl error" will find this information. --- security/split-gpg.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/security/split-gpg.md b/security/split-gpg.md index 9a2bd6d5..def1210b 100644 --- a/security/split-gpg.md +++ b/security/split-gpg.md @@ -74,6 +74,14 @@ signed before the operation gets approved. Perhaps the GPG backend domain could start a Disposable VM and have the to-be-signed document displayed there? To Be Determined. +- The Split GPG client will fail to sign or encrypt if the private key in the +GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl +for device"* error. Avoid setting passphrases for the private keys in the GPG +backend domain, it won't provide extra security anyway, if an attacker gains +access to it they will likely be able to get the passphrase too. If you have a +private key that already has a passphrase set use `gpg2 --edit-key `, +then `passwd`. Be aware that `pinentry-ncurses` doesn't allow setting empty +passphrases, so you would need to install `pinentry-gtk`. ## Configuring Split GPG ##