About SSH-split

The SSH-split configuration is especially interesting for IT professional like developers, devops and system administrators but, more in general, for anyone who has a remote server to manage via ssh.

It works the same way as GPG-split: vault is the provider of the ssh-keys for other qubes which don’t host the ssh-keys on their hard drive resulting in additional protection against malware and unauthorized access.

Tomb file for ssh

I follow the standard procedure to create a tomb file (20MB) in vault to host the keys of my ~/.ssh directory:


don’t change ${TOMBID} or risks and risq will not work as expected

From now on I can open or close the ssh tomb-file with :

risks open ssh ${IDENTITY}
risks close ssh ${IDENTITY}

If I have already some ssh keys for ${IDENTITY} then I copy them inside the tomb:

risks open ssh ${IDENTITY}
cp <my-old-keys-directory>/* ${HOME}/.ssh

Otherwise I create a new pair:

risks open ssh ${IDENTITY}

The interactive shell opens and I hit enter 3 times, accepting the defaults.

I check that the new keys have been created:

ll ~/.ssh/
total 3
-rw------- 1 user user 1679 Jan 15 20:38 id_rsa
-rw-r--r-- 1 user user  394 Jan 15 20:38 id_rsa.pub

In both the cases I make the keys immutable:

sudo chatt  +i ~/.ssh/id_rsa.*
risks close ssh ${IDENTITY}

Setup Qubes for SSH split

This configuration grants joe-devq to use the SSH configuration present in vault without storing the ssh-files.

dom0 configuration

In dom0 terminal:

sudo sh -c 'echo "$anyvm $anyvm ask" > /etc/qubes-rpc/policy/qubes.SshAgent'

Eventually I can trust joe-devq to access vault ssh-agent without confirmation prompt.

sudo sh -c 'echo "joe-devq vault allow" > /etc/qubes-rpc/policy/qubes.SshAgent'
sudo sh -c 'echo "$anyvm $anyvm ask" >> /etc/qubes-rpc/policy/qubes.SshAgent'

The qubes.SshAgent file becomes then something like this:

joe-devq  vault allow
$anyvm $anyvm ask

vault configuration

vault needs just a couple of packages and to have ssh-add started at boot.

sudo apt update
sudo apt install nmap ssh-askpass
mkdir ~/.config/autostart
echo '
[Desktop Entry]
' > ${HOME}/.config/autostart/ssh-add.desktop

template configuration

I turn off joe-devq, start debian-10-dev and from its terminal:

sudo apt update
sudo apt install nmap
sudo shutdown -P 0

joe-devq configuration

I turn on joe-devq and from its terminal I add these lines to /rw/config/rc.local:

export SSH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
rm -f "$SSH_SOCK"
sudo -u user /bin/sh -c "umask 177 && ncat -k -l -U '$SSH_SOCK' -c 'qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent' &"

Then I add this to ${HOME}/.bashrc



  • I stop vault
  • I stop joe-devq
  • I open a dom0 terminal
  • I start vault and open a terminal
  • I start joe-devq and open a terminal
  • I attach the hush partition to vault

From a dom0 terminal:

qvm-shutdown _vault_ && qvm-run _vault_ gnome-terminal
qvm-shutdown _joe-devq_ && qvm-run _joe-devq_ gnome-terminal
attach_hush_to vault

From vault terminal:

risks mount sdcard
risks open ssh ${IDENTITY}
ssh-add -L

The output is something like:

ssh-rsa AAAAF3Pza01yc2EAAAADAQA3AAA3AQDPrqi5HAv6NLg+WJVjS14nGTpx+Jr/si/O0RYSMs21ran0K1xYAZ+h0sVrtUkt+JJHr3E38GHm6Dpah4err0by4uPfk+x3e15ZfZy4RsxttUXbkYmsto3byulUfOyN0dOYSL+jHt7i4qdvUNffTiqL0s/eaDb5q20ytg8g35WEhxchSa3y9PYRSPQ35dqjJU35DhON0yc9H36uhT4d0JtOjhpDL79JH3oi8+c0t4h+p1G3RvwLPnwkH

From joe-devq terminal:

ssh-add -L

The usual Qubes OS prompt-window pops up and I select vault.

Then, in joe-devq terminal, I should see the exact same output displayed in vault. This proves that everything is working as expected.

I can now try to access any SSH remote server from joe-devq with:

ssh ${user}@${server_ip}