Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-23 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-22 19:51, 'Gaea' via qubes-users wrote:
> Thanks Monsieur Ouellet.
> 
> I thought that there was a smaller version of Qubes that may be easier
> for me. I am totally new to all this. Been with WINDOWS, but want
> something more resistant to hacking & invasion of my privacy.
> 
> I managed to install Qubes 3.2. Now my google voice mail that records
> MP3 like voicemail.mp3 wont play. In windows all I have to do is click
> on (Play)
> 

It sounds like you just need a media player. I recommend VLC, which you
can download after enabling the RPMFusion repo. Instructions are here:

https://www.qubes-os.org/doc/software-update-vm/#rpmfusion-for-a-fedora-templatevm

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYXOJvAAoJENtN07w5UDAw9zQQAM3oNGIBxopAeqfRPdAgNY5t
r+TZGTDjaadKPT4i6xqe28Uym8Yx2spD5flCxKcBCV5opXXPqDliBbH6Zl38R9o4
IYDh6ZTSQ/cVh7Qzkp0k95xct7QS9Y4VWQI7PUt3zCnpK8IRVvAWdc4eMHIV6nju
oX/l06peMUc2p2itbpymfT2Fb3OUMgkzjW2+i9ML9/BdGFaiPKTexcywS1kKRGj/
C1GXARfdbZk6lOpsWvItp9FOvLRy8Y66DJFkC81AsFE0nVUYi/426NqydbkoXlwy
tCP2EZwWrgS7eUMro8EQ4rKyLGUHJwXNSfXOetH97tTkH8wc+e0QFOTEjze64G+N
t9EYDZHl0FQV3BaVQzxOncoYbme31QmqX2DnsQk8Mdv1JUdOoZvlOVHQuSEkxdij
9CqRvaIC26V9yIm/mWaZvRTm94ycz9neKFj/VGx7qo8zYcidgKRoosES2kBfvSRM
5XgBXlzojZr6/dJhlu4uAAyJWxkAbGjFA0iNPQsjZha2IaxuH3TbFb0vQM1+X/jL
08eTXuW9cPXefKBOBE4YP6ORJOXZMhfhMPUvLiqYhMG97juY29K24dD66jCJ/fmJ
/mHc358K+R0wyyRaKmk0qJfO5zeJtHncPClyltai72zRqhVSPagBhSY9g5t/Hji6
bsD4aLX3dFTtB6QmBrzM
=VoUC
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a3bd9b9b-5c56-6751-9c6e-eeb49c154635%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-22 Thread 'Gaea' via qubes-users
Thanks Monsieur Ouellet.

I thought that there was a smaller version of Qubes that may be easier
for me. I am totally new to all this. Been with WINDOWS, but want
something more resistant to hacking & invasion of my privacy.

I managed to install Qubes 3.2. Now my google voice mail that records
MP3 like voicemail.mp3 wont play. In windows all I have to do is click
on (Play)

My laptop meets vt-d, vt-x, tpm, txt. It is UEFI, Legacy, UEFI-CSM
capable. Windows and Ubuntu which I tried both run in UEFI. But Qubes
refuses to Boot under UEFI. Tried all suggestions from forums.

I bought another hard drive to install Qubes in Legacy mode. I have to
swap Windows/Ubuntu HD & change BIOS to legacy, put in Qubes HD to fire
up QUBES. I am writing this in Qubes. Painful, but I really want to
leave WINDOWS behind. I don't see the point of running WINDOWS as a
QUBES VM.

Bye

Jean-Philippe Ouellet:
> On Wed, Dec 21, 2016 at 4:20 AM, 'Gaea' via qubes-users
>  wrote:
>>  Please what are the differences between:
>>
>> Minimal:
> 
> fedora-24-minimal + text editor, openssh, git, zsh, etc.
> 
>> Extremely Minimal
> 
> fedora-24-minimal + a text editor -- nothing else
> 
>> Full ?? VMs
> 
> All the crap. Browser, photo editor, media player, all the giant
> pieces of software that pull in half the world as dependencies.
> 
> 
> I have various others in between, such as one with only a browser (for
> online banking and such).
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/50e5b492-31c8-5402-da72-56cbdcc38cf3%40lelantos.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-21 Thread Jean-Philippe Ouellet
On Wed, Dec 21, 2016 at 1:11 PM, Jean-Philippe Ouellet  wrote:
> I have various others in between, such as one with only a browser (for
> online banking and such).

I should clarify, this is a template with only a browser, and an
individual VM used for only online banking. The "and such" each have
their own respective VMs derived from the browser-only template.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_D-ynUTMRH42G0vE3%2Bq6Fj6VRr8nF4bgywH8aKf8k_%2BTg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-21 Thread Jean-Philippe Ouellet
On Wed, Dec 21, 2016 at 4:20 AM, 'Gaea' via qubes-users
 wrote:
>  Please what are the differences between:
>
> Minimal:

fedora-24-minimal + text editor, openssh, git, zsh, etc.

> Extremely Minimal

fedora-24-minimal + a text editor -- nothing else

> Full ?? VMs

All the crap. Browser, photo editor, media player, all the giant
pieces of software that pull in half the world as dependencies.


I have various others in between, such as one with only a browser (for
online banking and such).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_AUjufxnkhR8QrY4sELd63e7qG7PhZejpOzMyYTLygBLw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-21 Thread 'Gaea' via qubes-users
 Please what are the differences between:

Minimal:
Extremely Minimal
Full ?? VMs

Jean-Philippe Ouellet:
> On Tue, Dec 20, 2016 at 3:08 PM, 5n7xyb+qphld0j5ytif4l via qubes-users
>  wrote:
>> I also don't want to remove the password from my private key since I used it 
>> in different devices and I don't want to use a different template as I have 
>> many things installed on my debian 8 template.
> 
> Using a separate (minimal) template may be a good idea regardless
> simply to reduce the number of things which must be trusted to not be
> actively malicious in order to maintain the confidentiality of your
> pgp key.
> 
> I have several templates ranging from "extremely minimal" to "kitchen
> sink" for exactly this reason, and would recommend the practice for
> its own merit regardless of split-gpg / enigmail / whatever.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aa646755-fc48-5cda-74f2-ce8c3f5f6140%40lelantos.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-20 Thread Jean-Philippe Ouellet
On Tue, Dec 20, 2016 at 3:08 PM, 5n7xyb+qphld0j5ytif4l via qubes-users
 wrote:
> I also don't want to remove the password from my private key since I used it 
> in different devices and I don't want to use a different template as I have 
> many things installed on my debian 8 template.

Using a separate (minimal) template may be a good idea regardless
simply to reduce the number of things which must be trusted to not be
actively malicious in order to maintain the confidentiality of your
pgp key.

I have several templates ranging from "extremely minimal" to "kitchen
sink" for exactly this reason, and would recommend the practice for
its own merit regardless of split-gpg / enigmail / whatever.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_Du8jtkJuVExTxfMrk5nNibXSbQhez2V%3DS8u%2BaPtdbncg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-16 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-16 10:42, cubit wrote:
> 
> 16. Dec 2016 18:38 by marma...@invisiblethingslab.com:
> 
>>> + Changing my vault VM to fedora24
>>> 
>>> - It remembers the keys password but does not honor the
>>> timeout settings, it always reprompts at 5 minutes despite
>>> "export QUBES_GPG_AUTOACCEPT=86400" being in .bash_profile
>> 
>> Hmm, it works for me...
>> 
>>> - Removing the password from my subkeys and it still prompts 
>>> for a password and only works with the password I removed, not 
>>> blank.  interacting with gpg on command line shows that the 
>>> password does not exist all signing / decryption is automatic
>>> 
>>> Any reasons for the above behavior?
>> 
>> Make sure you use gpg2, not gpg.
> 
> 
> Both are installed in the Fedora 24 template but if I understand 
> correctly, the qubes gpg wrapper now defaults to gpg2.
> 

Yes, but they use different keyrings, so if you update your key in one
keyring (by removing the passphrase from it), it will not necessarily
be updated in the other one.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYVMgCAAoJENtN07w5UDAwRAMP/0xbqps+qY2eY/L1l+OM4/uI
ENdwGGTbqu24EAKATkxQJ6byMaMCUG06ziqZoKYS12+msCM3SlE2O6uv/Pezlb4D
ilso4iJyrgJDHKg83E2ciVdquZ3MBevAPHGcynpTV6ni6f9g+4mN2Py+QRFn7uPl
f9HefYl8EZOq1xJMqI0xWtNOl2Ekee1ueCxa7SAfA/zqG7AnRoEnpYMdnCqNN8TU
Xy66xr5vk+g2ZZ26qTbKvns0XCo1KMXCOOJLWTLHd/IcAUWp1o5zKqttWcMDCDfm
Ttb61Y1QROuyLyFnFtCF+jCYhk7dvQmvw9DkAN1N9xDztchjyQsKVQpqVcnsGsVm
oPRTnL3jF0S2j5GL0v9wc+Ab6mKhcChIZOdrQHctDhLigbBxBRgMPmu4BEGOM4Yb
ClMzseZ+efj2plHMQPIj3prLGweUqTmImrUxJVmHzvlQqGgF5umU5HkjSf5Zo5iZ
vkf4xNS1s3JsK+KxW65tHNBUM67PNvcdnYskiRPf57dD+8trJusH1Ho+GSoiehsB
sNhHeps043Ir5G/Pjz+neft6Jw7fd6kffU00UJY2kzDCVmD05whpT5cyZh9WOrm4
ffX4mGlAI71/IdUR2UIjvcUeOg4QvMfRTAC2MRyPOzOiy0j8K8PuuyyyKApKNrTG
G7FHS7oUkEIEEbqcvUAi
=FwXO
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1be007e3-d80b-9ee2-ce18-41cb25ac58b2%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-16 Thread cubit

16. Dec 2016 18:38 by marma...@invisiblethingslab.com:

>> + Changing my vault VM to fedora24
>>
>>    - It remembers the keys password but does not honor the timeout settings, 
>> it always reprompts at 5 minutes despite "export QUBES_GPG_AUTOACCEPT=86400" 
>> being in .bash_profile 
>
> Hmm, it works for me...
>
>>    - Removing the password from my subkeys and it still prompts for a 
>> password and only works with the password I removed, not blank.  interacting 
>> with gpg on command line shows that the password does not exist all signing 
>> / decryption is automatic
>>
>> Any reasons for the above behavior?
>
> Make sure you use gpg2, not gpg.


Both are installed in the Fedora 24 template but if I understand correctly, the 
qubes gpg wrapper now defaults to gpg2.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/KZ7wJFT--3-0%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-16 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Dec 16, 2016 at 07:23:18PM +0100, cubit wrote:
> 16. Dec 2016 05:58 by a...@qubes-os.org:
> 
> > I recommend disabling your key's passphrase (i.e., using a blank
> > passphrase).
> >
> 
> 
> 
> 
> Some frustrating experiments later
> 
> 
> 
> 
> + Changing my vault VM to fedora24
> 
>    - It remembers the keys password but does not honor the timeout settings, 
> it always reprompts at 5 minutes despite "export QUBES_GPG_AUTOACCEPT=86400" 
> being in .bash_profile 

Hmm, it works for me...

>    - Removing the password from my subkeys and it still prompts for a 
> password and only works with the password I removed, not blank.  interacting 
> with gpg on command line shows that the password does not exist all signing / 
> decryption is automatic
> 
> Any reasons for the above behavior?

Make sure you use gpg2, not gpg.

> + then changing vault VM back to debian 8
> 
>   - password removed and I can now read email and attachments without being 
> bothered when looking at each and every email.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYVDSmAAoJENuP0xzK19csLZ0H/3OYBirvjfy0B1iCQsEm+tnB
CX5uS10JBZK/yx2TW1CtIKgkrML0/uDdy01YdJK1JThDegYVsovS6pfS8GqBb6ZZ
H3lWRe2Jb2Av2cK7O89JXBbrZm2H7zjEHg/8ugz/pgmNCe85yz89Q1sE0ZIQNMxX
zG2d2nRqb5Z6cuF2fFQU9Qvv2n8C22pEn3+owpZZOPUkOk20Cd9C7uKtLP0EmWMt
fBsCUsAmxr7FsE9F5ip8ILWnhcU6xxcgDwJxSS2pTmMJ4molWL1yn7z26y4twM3X
Svhm+6uzp7QICgVcZHYy4wtkSoGsqjGuMVWM7rrqKDdh3iVbHiIPOTeImkwy/yI=
=U0hX
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161216183831.GE1239%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-16 Thread cubit
16. Dec 2016 12:22 by a...@qubes-os.org:

> You're also ignoring the part that I quoted for you previously. Here
> it is again:
>
> "You may experience trouble when attempting to use a PGP key with a
> passphrase along with Split-GPG and Enigmail. If you do, you may need
> to remove the passphrase from your (sub)key(s) in order to get
> Split-GPG working correctly. As mentioned above, we do not believe PGP
> key passphrases to be significant from a security perspective."
>
> What this means for you:
>
> You're experiencing trouble when attempting to use a PGP key with a
> passphrase along with Split-GPG and Enigmail, so you may need to
> remove the passphrase from your (sub)key(s) in order to get Split-GPG
> working correctly.
>







I do not want to come across rude but that's not how I see it.   I was using 
passphrase fine over several releases and it just stop working for a reason I 
have yet to find out why.




Removing the password is not a fix it is a kludge or work around.   A fix is 
getting it back to its previous working state with password use intact.





If passphrase use is so seeming temperamental that you have to offer this 
kludge, it should be said do not use!







 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/KZ6dwVL--3-0%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-16 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-16 03:27, cubit wrote:
> 16. Dec 2016 05:58 by a...@qubes-os.org:
> 
>> I recommend disabling your key's passphrase (i.e., using a blank 
>> passphrase).
> 
> 
> 
> This is disappointing to hear.Removing the password sounds like
> a kludge than a fix to something that had been working okay.
> 
> 
> 
> 
> 
> I understand the model does not technically need a password but it
> is something I want (rightly or rongly) and it was working okay
> since R3.0 which to me indicates that it can work and just
> something broke.
> 
> 
> 
> 
>> The reasoning can be found throughout the document (search for 
>> "passphrase").
>> 
> 
> 
> 
> 
> I do and see that it is optional which should mean it works. From
> the page you say:
> 
> 
> 
> 
> 
>>> "Therefore,using a passphrase at all should be considered
>>> optional."
> 
> 
> 
> 
> If it is not supposed to work  or is not supported it should be
> said  "do not use passphrase with key" instead of saying "is
> optional" as this lead people to understand that while not needed
> it works.
> 
> 
> 

You're taking that passage out of context. If you read it in context,
it's clear that "optional" means optional from a *security* standpoint.

You're also ignoring the part that I quoted for you previously. Here
it is again:

"You may experience trouble when attempting to use a PGP key with a
passphrase along with Split-GPG and Enigmail. If you do, you may need
to remove the passphrase from your (sub)key(s) in order to get
Split-GPG working correctly. As mentioned above, we do not believe PGP
key passphrases to be significant from a security perspective."

What this means for you:

You're experiencing trouble when attempting to use a PGP key with a
passphrase along with Split-GPG and Enigmail, so you may need to
remove the passphrase from your (sub)key(s) in order to get Split-GPG
working correctly.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYU9yRAAoJENtN07w5UDAwNpUQALklVgty82Xp468B+ncoL/xO
eC8cmtPzy8bdXT8Q7DvhnyGbYHgx8tSfV5UoqkuVE8k8QBqKyMihbrwjX2r3b8iu
Las9J5vLPVLSCfwg1erAKzr8yU2TPgs5PXVQYAYBBUGUXG+vGx/0sfruQXPgvwyj
hKVbR4N4U84df0p+0+kKiepjsglpGcKEHGFzU3o2neDUvJGqlRqL3TKHNAnzFuki
5N0ypLJVyVEwnb6LzfFrGyrM4J1uyzWFdD+XGRridquE2r7QHEIoawGQdCfGxxad
0hEIVRL66p1qI5uoG86fTrbDFjx/+pLOqxTEibj9vf33sMqF0BLCsPYNQT+O0mmq
GNKg3OrsqWNXPsuTtv2LsnWhlUNac7NkiqKcwCA57wbYkZWR7awIF10+Tca2bKS9
YvgiVdrIxTixEplCD43cxcdVSOaA+XSwIZF8qr4QEwxlHfqwFBRc7Wr/b52viCc4
DaoZdfD9lTxqGf3PiGqnXd1CoiYhOf+CpJRPIsLhzw6OGre4eK0yJeZFegYz1L5F
4U73NfTDL8AgMlZ7Krf+mvzL5+0CCiidNBgjZO7L6Cw2Gj9jw75Du+4igJhupZRi
TGc/7rH8YI6j6cW1yYQuxvxm8Nj6OxegAfHfZqg0vbCKAiH154t5ZYtCfCIvOkWI
+Q5aNLo+WDXEAj3bTsov
=vxTK
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e29669e-e097-04f9-f13e-daccbf00ede4%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-16 Thread cubit
16. Dec 2016 05:58 by a...@qubes-os.org:

> I recommend disabling your key's passphrase (i.e., using a blank
> passphrase).

 

This is disappointing to hear.    Removing the password sounds like a kludge 
than a fix to something that had been working okay.





I understand the model does not technically need a password but it is something 
I want (rightly or rongly) and it was working okay since R3.0 which to me 
indicates that it can work and just something broke.




> The reasoning can be found throughout the document (search for
> "passphrase").
>




I do and see that it is optional which should mean it works. From the page you 
say:





> > "Therefore,using a passphrase at all should be considered optional."




If it is not supposed to work  or is not supported it should be said  "do not 
use passphrase with key" instead of saying "is optional" as this lead people to 
understand that while not needed it works.
















-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/KZ6Noey--3-0%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-15 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-15 13:57, cubit wrote:
> 15. Dec 2016 21:53 by cu...@tutanota.com:
> 
>> I updated templates and dom0 today and rebooted computer.  Now 
>> when I try to look at encrypted email I am prompted to enter my 
>> gpg key password every time I look at an encrypted email.   Also 
>> if I look at an encrypted email, go to a different program and 
>> then tab back to thunderbird I am immediately asked for gpg key 
>> password for the email I was looking at.
>> 
> Another problem I discover.  If a PGP/MIME email has an
> attachment. I try open it asks for password to open it.  Put
> correct password in and it just ask again and again and again :(
> 

I recommend disabling your key's passphrase (i.e., using a blank
passphrase).

See our "note on passphrases":

"You may experience trouble when attempting to use a PGP key with a
passphrase along with Split-GPG and Enigmail. If you do, you may need
to remove the passphrase from your (sub)key(s) in order to get
Split-GPG working correctly. As mentioned above, we do not believe PGP
key passphrases to be significant from a security perspective."

The reasoning can be found throughout the document (search for
"passphrase").

https://www.qubes-os.org/doc/split-gpg/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYU4KhAAoJENtN07w5UDAwMkMP/3xLSOdj5qjNprwgfiMEKMPe
XUmsjT55gSja0MQ9bKSVMZ58Mk4mp7tkbFpcSVQW7OpAodLUIIoNDg1vC+KwocUA
pAaWXFt2TsjVPNbIL2DJEwCM1z2ElXLciQj57YAzUj4ZvVTHKJAmrP6H8BmI7w0M
DdDhBHZG07KoYyvJ2zpUAj6OY56vOoUs8o9zYj9v6jZ5KOHnHbQVi9MHPQeWZz2f
SPQ4vlcVHpWLFj6pD9e5E1fISLHecmK1q4xmfM3YbtpP24PuFxX0BH1ReYWDKUoj
DZODmBok+Fl4VYx6DIs9bQ/TpKmD+72eN37lEL4QYwYq3SPQbkS2d+7v9H7u5t4u
Cj4ll4Dz9TtFNquLJxXD+TcWzNKTDve5aJP3UQwhZkj71nDuzBD+tKmWkVKMIVwy
X79TQtC0nYZUD/pDIOOiirIuAFwlOAf4l8J8tW/9+dafVB2rfVoRjj0n4jN42IQt
YpSZKOe3KlQAsuVy5tho3wP9WSP4NJIQuCLgCFj401DVD8ZJ21IFSHwiF1pnxOm9
Lsjer+BW3WIPIthoR+pFZhln8cVu7Ol3iCN790rOP3PH+uJLWK6V37cJAw4uPzac
VLEtpVJF4ncSNIf6UYkUoIkBbedfZ2y9ZxMQAEtep9eHFo67mrY18VRyglDKmYw+
fkSpUkgqL0+48a1HX/ht
=JM+z
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ddb61ce2-3a19-1fcf-efaf-62e1d59fdec7%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-15 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Dec 15, 2016 at 10:53:56PM +0100, cubit wrote:
> Halo!
> 
> I have run into more problems with thunderbird+enigmail on qubes and wonder 
> if anyone else has problems.
> 
> I have a work appvm as Debian 8 with icedove 45.5.1 and enigmail 1.8.2
> I have a vault appvm with my gpg keys as Debian 8 to do split gpg.
> 
> I updated templates and dom0 today and rebooted computer.  Now when I try to 
> look at encrypted email I am prompted to enter my gpg key password every time 
> I look at an encrypted email.   Also if I look at an encrypted email, go to a 
> different program and then tab back to thunderbird I am immediately asked for 
> gpg key password for the email I was looking at.
> 
> I do notice that the password prompt window looks different from pre reboot.
> 
> Some other package info:
> 
> ii  pinentry-gtk2   0.8.3-2
> ii  gnupg  1.4.18-7+deb8u3 
> ii  gnupg-agent   2.0.26-6+deb8u1 
> ii  gnupg2   2.0.26-6+deb8u1
> ii  gpgv 1.4.18-7+deb8u3  
> ii  libgpg-error0:amd64   1.17-3    
> ii  libgpgme11:amd64  1.5.1-6  
> ii  qubes-gpg-split   2.0.24-1+deb8u1    

The solution is easy - remove password from your keys, especially when
you're using split gpg. It is inconvenient illusion of security. If
someone gets access to your private keyring, he/she will be able to get
your password the same way. Especially when you're relying on caching it
in RAM...

The only case when password protected keys makes some sense is
protection after hardware theft, but since Qubes use full disk
encryption anyway, it doesn't add anything extra in this case.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYU2FfAAoJENuP0xzK19csfhwH/2jdT7GbbdhRXlQdw1xPmdgx
f0TchBo2w6UkAowm3JjRhY8iw832qQMTcvKwKqG0JW23VsGsUnU/bqvjd4sDwE9V
7UgTOnAWXqra+wSJHsUjX+L6G+Lxxp+skXq6FKdVcCEsrVYf3BHzxfVeNevf2wG+
HJyIHjHCzwrZyHVscxKUq6rBtOvyOS+zSLNPTn7Nd6V0Kl3eMQwfu0FPvlvdfbre
lkUZ+wcGGo2nDUS+v2qbGiYXvs6+wfAwTFoSuNSC9t7ruofB6NaTTnbZXTEXaXcm
hSM0qzE4RCYjoQAqNNJ0tHfe398xdyowCMeouWrchr8uZpZ2I+Zb3Bb4OlQ3J5o=
=FBVc
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161216033701.GV1239%40mail-itl.
For more options, visit https://groups.google.com/d/optout.