Splitting encryption/signing between two gpg processes?

Joanna Rutkowska joanna at invisiblethingslab.com
Wed Feb 22 17:18:56 CET 2012


In our Qubes OS (www.qubes-os.org) we have implemented a little proxy
for gpg that allows apps running in one VM to transparently use gpg in
another VM.

So, I can setup Thundrbird/Enigmail, which runs in my 'work' domain, to
use this gpg proxy, which would automatically talk to the gpg server
running in my 'keys' domain, where my private key(s) are kept (the
communication is done over Xen-based shared channel, but could be easily
modified to work over network as well, so it's nothing Xen/Qubes
specific in principle).

This is obviously to prevent the attacker, who might have compromised my
'work' domain, e.g. by exploiting a hypothetical flaw in my Thunderbird,
from stealing my private keys. This is equivalent to using a smart card
for storing the keys (assuming VM escapes on Qubes are hard(TM)).
Additionally, however, because the gpg server (which essentially is a
wrapper around /usr/bin/gpg) running in the 'keys' VM can be configured
to prompt the user for permission to use the key each time (or every N
seconds), this setup goes a step further than a smartcard, as it also
attempts to prevent the attacker from selectively decryption/signing
(too many) messages.

Unfortunately the above setup has the following drawback -- in order to
encrypt messages to other people, and/or to verify other people's
signatures, one would need to import all those people's keys into the
'keys' domain. This is something we would like to avoid, as it
represents some non negligible attack surface on the gpg process running
there (processing untrusted input, resolving trust relations, etc). So,
ideally, we would like to keep all the public keys in the client VMs
(where our gpg proxy runs), and to use a local gpg to
encrypt-to-others/verify-signature-from-others, and only use the gpg in
the 'keys' domain to perform decryption/signing which requires the use
of user's private keys.

Do you have any suggestions how to best split such operations? So, e.g.
how to best split the following operation:

gpg -se -r Bob1 -r Bob2 -r Bob3 msg.txt

so that gpg -e executed in one gpg process, while the gpg -s in the
other one, and then how to combine the resulting outputs?  And similarly
for decryption/verification of signature?


ps. Here's the Qubes Split GPG code:


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120222/44c8ecdd/attachment.pgp>

More information about the Gnupg-devel mailing list