Add "passphraseless submission key" to prerequisites #95
Comments
Given that split-gpg does not support passphrases on privkeys, we're not likely to change support anytime soon. Agree that clarification in the docs is the right approach. |
|
That split-gpg doc is outdated then 😄 I use split-gpg with pinentry-gnome3 every day! But even so, the automated use from salt during initial setup that would make the use of passphrases on private keys cumbersome to support |
Good to know! I was surprised to see the feature explicitly omitted, even though I don't use it myself. And the original point stands: we're not likely to support it on SDW in the foreseeable future. |
While our key generation docs suggest that it is safe to generate a passphraseless submission key, they do not strictly require it. It's certainly possible to use an SVS with a passphrase-protected key.
https://docs.securedrop.org/en/stable/generate_submission_key.html
Our SDW installation procedure and test plans do not currently account for a key protected by a passphrase. Until/unless this is a use case we explicitly support, I would suggest that we list a passphraseless submission key as a prerequisite for the SecureDrop Workstation.
The text was updated successfully, but these errors were encountered: