|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [MirageOS-devel] MirageOS AppVMs on Qubes
On 26 November 2015 at 20:26, Hannes Mehnert <hannes@xxxxxxxxxxx> wrote: > On 11/26/2015 20:38, Thomas Leonard wrote: >> What about doing only the agent protocol (mainly PKDECRYPT and PKSIGN)? > > What would the benefit be? What would the agent talk to? Where and how > would keys be stored? I was imagining the gpg-agent would run in a Qubes Mirage AppVM, which would also store the private keys (in a FAT filesystem maybe). When other (Linux) AppVMs want something signed or decrypted, they run the regular gpg binary, which calls a gpg-agent stub that uses `qvm-run mirage-gpg` to get a vchan to the Mirage agent. That way, private keys never leave the Mirage VM. Prompting the user for the password might be a problem, but we could call out to another AppVM for that (or maybe even to dom0). -- Dr Thomas Leonard http://roscidus.com/blog/ GPG: DA98 25AE CAD0 8975 7CDA BD8E 0713 3F96 CA74 D8BA _______________________________________________ MirageOS-devel mailing list MirageOS-devel@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |