Using Evolution with Qubes Split GPG
2022 July 16
I started using GNOME Evolution yesterday. Today, I wanted to figure out how to properly set up OpenPGP encryption with Evolution.
Normally, Evolution uses the user's GPG keyring. That would work, but Qubes OS has its own system called Split GPG which lets you store your keys in (offline) trusted VMs while also making them usable from less-trusted VMs. I wanted to do that.
1. Install Split GPG
You'll need the qubes-gpg-split-dom0 package installed in dom0 and the qubes-gpg-split package in the template(s) used for your AppVMs.
[user@dom0 ~]$ sudo qubes-dom0-update qubes-gpg-split-dom0
In Debian/Whonix TemplateVM:
user@debian-11-minimal:~$ sudo apt install qubes-gpg-split
In Fedora TemplateVM:
[user@fedora-35-minimal ~]$ sudo dnf install qubes-gpg-split
Power off your TemplateVM(s) and the VM where you run Evolution.
2. Set up the GPG domain
Create a new Qubes VM. Set Networking to (none) so it doesn't have access to the internet. (This is a security measure. Keeping your keys offline makes them much harder to exfiltrate.)
I named this VM school-gpg and will refer to it that way for the rest of the post. The VM where I'm using Evolution is called school.
By default, when you allow school to use school-gpg's keyring, it will have access for 5 minutes. You can change this value with the
QUBES_GPG_AUTOACCEPT environment variable. For example,
[user@school-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=60" >> ~/.profile
will reduce this to 1 minute. Set this as you wish.
(Setting it in your ~/.profile will only take effect after you log back in. You can
source ~/.profile or just run the command itself to apply it now.)
Create your keys
I used the
--expert options below because I wanted to manually specify elliptic curve cryptography, rather than RSA. At the time of writing, just using
gpg --generate-key in Fedora 35 yielded the same result (ECC Curve25519). Debian 11 defaulted to RSA-3072 if I didn't specify.
In school-gpg, create your OpenPGP keys:
[usser@school-gpg ~]$ gpg --full-gen-key --expert
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card Your selection? 9 Please select which elliptic curve you want: (1) Curve 25519 (3) NIST P-256 (4) NIST P-384 (5) NIST P-521 (6) Brainpool P-256 (7) Brainpool P-384 (8) Brainpool P-512 (9) secp256k1 Your selection? 1 Please specify how long the key should be valid. 0 = key does not expire
= key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 1y Key expires at Sun Jul 16 00:00:00 2023 UTC Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: My Name Email address: email@example.com Comment: You selected this USER-ID: "My Name <firstname.lastname@example.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
At this point in the process, GPG will ask you to create a password to protect your keys. Do not password-protect your keys, as it will prevent Split GPG from working. Instead, leave the password field empty.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 6BA826669A2B43E2 marked as ultimately trusted gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/F92D0B F25FB29EF405C5FAA46BA826669A2B43E2.rev' public and secret key created and signed. pub ed25519 2022-07-16 [SC] [expires: 2023-07-16] F92D0BF25FB29EF405C5FAA46BA826669A2B43E2 uid My Name <email@example.com> sub cv25519 2022-07-16 [E] [expires: 2023-07-16]
3. Set up easy access
In school, set the
QUBES_GPG_DOMAIN environment variable to specify that it should use school-gpg:
[user@school ~]$ echo "school-gpg" | sudo tee /rw/config/gpg-split-domain
In dom0, you can set the qrexec policy to allow access from school to school-gpg by default. (Note: This will still require a prompt to the user, but it removes the need for the user to type in the domain every time. See Advanced Configuration for security considerations.)
If you want to do this, in dom0, add this line to the top of /etc/qubes-rpc/policy/qubes.Gpg:
school school-gpg allow
4. Set Evolution to use Split GPG
Evolution supports using GPG. However, we don't want it to use
gpg (on the same system); we want it to use
qubes-gpg-client-wrapper, which will forward the request to school-gpg. We can accomplish this with the following command:
gsettings set org.gnome.evolution-data-server camel-gpg-binary '/usr/bin/qubes-gpg-client-wrapper'
(See this issue where someone described setting this.)
This setting should only need to be set once.
5. Using OpenPGP with Evolution
See the GNOME help page or the Fedora one.
In Evolution (in school), click Edit → Preferences. Under Mail Accounts, select your mail account and click Edit (on the right).
This should bring up the Account Editor. Select Security and enter your OpenPGP Key ID.
Now, you should be able to use that key with that account. When you receive an email encrypted for you and signed with a key you've imported (see below), it should look like this:
When you compose an email, you can select encryption options in the Options menu:
If you're sending an encrypted email from Outlook, Microsoft may corrupt the message. I was able to easily recover in this circumstance using Thunderbird, but it could be an issue in some circumstances.
Importing public keys
Obviously, you'll need to import people's public keys in order to encrypt messages for them. With this setup, we'll be importing them from school to the GPG keyring on school-gpg. We can use the
qubes-gpg-import-key command for that:
[user@school ~]$ qubes-gpg-import-key <path to public key>