# the following instructions will install split-ssh
# client-vm will be based off whonix-workstation-17
# client-vm is disposable
# vault-vm will be based off debian-12-minimal
# keys will be retrieved automatically with 2 prompts when starting disp client vm
# update or install and update debian-12-minimal &amp; whonix-workstation-17
# create script

dom0: nano ~/ssh-setup.sh

# print the following below


#!/bin/sh
qvm-clone debian-12-minimal deb-12-mini-ssh-keyring
echo 'sudo apt-get -y install socat ssh-askpass-gnome libnotify-bin' &gt; ~/ssh.sh
chmod 700 ~/ssh.sh
qvm-move-to-vm deb-12-mini-ssh-keyring ~/ssh.sh
qvm-run -u root deb-12-mini-ssh-keyring /home/user/QubesIncoming/dom0/ssh.sh
echo '#
#!/bin/sh
notify-send "[$(qubesdb-read /name)] SSH agent access from: $QREXEC_REMOTE_DOMAIN"
socat - "UNIX-CONNECT:$SSH_AUTH_SOCK"' &gt; ~/qubes.SshAgent
chmod 700 ~/qubes.SshAgent
qvm-move-to-vm deb-12-mini-ssh-keyring ~/qubes.SshAgent
qvm-run -u root deb-12-mini-ssh-keyring "sudo mv /home/user/QubesIncoming/dom0/qubes.SshAgent /etc/qubes-rpc/qubes.SshAgent"
qvm-run deb-12-mini-ssh-keyring "rm -r /home/user/QubesIncoming"
qvm-shutdown deb-12-mini-ssh-keyring

qvm-clone whonix-workstation-17 workstation-ssh
echo 'sudo apt-get -y install openssh-client' &gt; ~/ssh.sh
chmod 700 ~/ssh.sh
qvm-move-to-vm workstation-ssh ~/ssh.sh
qvm-run workstation-ssh /home/user/QubesIncoming/dom0/ssh.sh
echo '#
SSH_VAULT_VM="app-ssh-keyring"
export SSH_AUTH_SOCK=/tmp/ssh-agent-$SSH_VAULT_VM
rm -f $SSH_AUTH_SOCK
umask 177 &amp;&amp; socat "UNIX-LISTEN:$SSH_AUTH_SOCK,fork" "EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent" &amp;' &gt; ~/90x11-common_ssh-agent
qvm-move-to-vm workstation-ssh ~/90x11-common_ssh-agent
qvm-run workstation-ssh "sudo mv /home/user/QubesIncoming/dom0/90x11-common_ssh-agent /etc/X11/Xsession.d/90x11-common_ssh-agent"
qvm-run workstation-ssh "rm -r /home/user/QubesIncoming"
qvm-shutdown workstation-ssh

qvm-create -C AppVM -l blue -t deb-12-mini-ssh-keyring app-ssh-keyring
echo '#
[Desktop Entry]
Name=ssh-add
Exec=ssh-add -c
Type=Application' &gt; ~/ssh-add.desktop
qvm-move-to-vm app-ssh-keyring ~/ssh-add.desktop
qvm-run app-ssh-keyring "mkdir -p /home/user/.config/autostart"
qvm-run app-ssh-keyring "mv /home/user/QubesIncoming/dom0/ssh-add.desktop /home/user/.config/autostart/ssh-add.desktop"
qvm-run app-ssh-keyring "rm -r /home/user/QubesIncoming"
qvm-shutdown app-ssh-keyring

qvm-create -C AppVM -l yellow -t workstation-ssh workstation-dvm-ssh
qvm-prefs workstation-dvm-ssh template_for_dispvms true
qvm-prefs workstation-dvm-ssh netvm none
echo '#
[Desktop Entry]
Name=ssh-add
Exec=ssh-add -L
Type=Application' &gt; ~/ssh-add.desktop
qvm-move-to-vm workstation-dvm-ssh ~/ssh-add.desktop
qvm-run workstation-dvm-ssh "mkdir -p /home/user/.config/autostart"
qvm-run workstation-dvm-ssh "mv /home/user/QubesIncoming/dom0/ssh-add.desktop /home/user/.config/autostart/ssh-add.desktop"
qvm-run workstation-dvm-ssh "rm -r /home/user/QubesIncoming"
qvm-shutdown workstation-dvm-ssh

qvm-create -C DispVM -l orange -t workstation-dvm-ssh disp-ssh

qvm-prefs disp-ssh netvm sys-whonix

# end print
#
# save &amp; exit
#
# run

dom0: chmod 700 ~/ssh-setup.sh
dom0: ~/ssh-setup.sh

#
# take a beer while everything is getting installed
#
# the next steps are what needs to be done manually
#

dom0: nano /etc/qubes/policy.d/50-ssh.policy


# print


qubes.SshAgent  *   disp-ssh    @default    ask default_target=&gt;
qubes.SshAgent  *   disp-ssh    app-ssh-keyring ask
qubes.SshAgent  *   @anyvm  app-ssh-keyring deny

# end print
#

dom0: qvm-run app-ssh-keyring xterm


xterm: ssh-keygen -t ed25519 -a 500

# hit enter on the first prompt and enter a password on the second prompt

xterm: qvm-copy-to-vm disp-ssh /home/user/.ssh/id_ed25519.pub


xterm: exit

#

dom0: qvm-run disp-ssh xfce4-terminal


xfce4-terminal: cat /home/user/QubesIncoming/app-ssh-keyring/id_ed25519.pub

# copy the key and paste it to wherever is appropriate for you use

dom0: qvm-shutdown app-ssh-keyring disp-ssh

#

dom0: qvm-run disp-ssh xfce4-terminal

# you will be prompted to select vault qube
# you will be prompted to enter password

# example to establish connection


xfce4-terminal: ssh user@ip.adress