Open eloquence opened 2 years ago
conorsch
commented
2 years ago Our SDW installation procedure and test plans do not currently account for a key protected by a passphrase. Until/unless this is a use case we explicitly support [...]
Given that split-gpg does not support passphrases on privkeys, we're not likely to change support anytime soon. Agree that clarification in the docs is the right approach.
eaon
commented
2 years ago That split-gpg doc is outdated then :smile: I use split-gpg with pinentry-gnome3 every day! But even so, the automated use from salt during initial setup that would make the use of passphrases on private keys cumbersome to support
conorsch
commented
2 years ago That split-gpg doc is outdated then
Good to know! I was surprised to see the feature explicitly omitted, even though I don't use it myself. And the original point stands: we're not likely to support it on SDW in the foreseeable future.
While our key generation docs suggest that it is safe to generate a passphraseless submission key, they do not strictly require it. It's certainly possible to use an SVS with a passphrase-protected key. https://docs.securedrop.org/en/stable/generate_submission_key.html
Our SDW installation procedure and test plans do not currently account for a key protected by a passphrase. Until/unless this is a use case we explicitly support, I would suggest that we list a passphraseless submission key as a prerequisite for the SecureDrop Workstation.