𝔓lainText, encrypted.

Emacs EasyPG

Emacs comes with a package called EasyPG, with which GnuPG based cryptographic operations become seamless. It can operate on regions as well as files. It also provides good dired and mail-mode integration.

Commands such as find-file and save-buffer on any *.gpg file will be dealt with by EasyPG automatically. You can customise this behaviour by modifying the epa-file-name-regexp variable to any pattern you wish. It is Emacs after all.

GnuPG is GNU’s implementation of OpenPGP standard. In the post Data encryption with GnuPG, I covered how to use GnuPG in detail. Make sure to check it out if you are not familiar with GnuPG.

EasyPG commands all start with epa-, most of them are pretty self-explanatory. E.g. epa-encrypt-region encrypts a marked region in the current buffer.

EasyPG uses symmetric encryption by default, which will ask you to set a password when a new .gpg file is saved. The encrypted file can then be decrypted using the same password. If you prefer public-key encryption with added security, instead just save file with C-x C-s, you can use epa-file-select-key to get a list of keys in your system and select the recipient’s public key for encryption.

Real world usage examples

Sensitive information such as usernames and passwords for online logins, software licence keys and financial figures should be kept secret. They should be stored with a disaster recovery storage strategy in case of data corruption or hardware failure. One accessible method would be putting them in a plain text file, encrypting the file and then throwing it in Dropbox or a git repository, and then you can forget about it.

Online logins

Org-mode is unbeatable for organising notes and simple tabular data in plain text files. Org-mode
Table

Saving the file as passwords.org.gpg, you will be asked to either set up a password for the file or select the recipient’s public key for encryption - depending on your EasyPG settings. In this use case you are the sole ‘recipient’ of the encrypted message - why would you want to share all your passwords with anyone else?

Try to open the file with Emacs, you will be asked to type in the password: Emacs
EasyPG

Tips: make sure you choose a strong password ONLY for encrypting the password list, and don’t use it anywhere else. If you prefer public-key encryption, use strong and unique passwords for each private key as well.

Sharing notes

With epa-encrypt-region you can encrypt sensitive sections of a file and share the rest of the document with others. E.g. sharing your notes on how to setup a computer but not the license keys of applications.

Imagine you need to share the below project plan with a colleague. Org-mode
Note

You probably don’t want to share the serial numbers and the credit card details. Select the regions you don’t want to share and issue M-x epa-encrypt-region, type your password, you would end up with a file like this: EasyPG encrypted
region

Toggle the outline mode, it still looks nice and clean. EasyPG encrypted
region

It’s always a good practice to encrypt sensitive info even you are the only one who will ever read it, otherwise it can easily lead to embarrassment, identity fraud or more devastating disasters if your computer is compromised.

To decrypt the encrypted parts, just select the PGP messages and issue M-x epa-decrypt-region

Having to type the password in every time when you open a file can quickly get tedious. Fortunately GnuPG provides an utility called gpg-agent which can cache passwords for a pre-defined period of time. EasyPG can remember your password for symmetric encryption.

Credentials caching can get complicated depending on which version of GnuPG you have in your system and the encryption methods your employ. It’s best to consult relevant documentation for detailed instructions.

Update

To use Emacs 25+ with GnuPG 2.1.x and above, set the below in your Emacs init file:

(setq epg-gpg-program "gpg2")
(setf epa-pinentry-mode 'loopback)

The added bonus is now that Emacs will cache the password for a short period of time automatically without a GUI pinentry.

Data encryption with GnuPG

Table of Contents

Why I am paranoid about security?

After working with hundreds of legacy websites during my early web development years, I’ve learnt not to trust any small e-commerce sites written in the last century, nor any website from which I can retrieve password in plain text. Even worse, now I start losing faith in the big boys who fail to guide their users lately: Sony, Twitter LinkedIn and Dropbox to name a few - some of them have always vowed to treat security as top priority.

It’s not only that that worries me, what about my personal notes stored in the cloud? Someone out there has access to them. Although cloud computing privacy is improving, it is nowhere near being regulated or enforced; actually it’s quite the opposite. Nevertheless, keeping data only on your physical devices sounds a terrible idea. Hard disks could die on you abruptly; thieves could break in and smash your computer and backups; fire could burn the whole city to the ground. The list can go on and on, putting data in the cloud at least makes our digital possessions immune to the hence mentioned devastating disasters.

Encrypt data with GnuPG

From deliberately changing file extension to zipping sensitive info with password, rudimentary tricks can certainly provide some level of security against novice users. But for experienced techies, these obstacles can easily be lifted with a £500 laptop from Currys within a matter of minutes.

To protect our privacy, We can use Public-key cryptography to encrypt any file, both on our own hard drivers and in the cloud.

A public and private key each have a specific role when encrypting and decrypting documents. A public key may be thought of as an open safe. When a correspondent encrypts a document using a public key, that document is put in the safe, the safe shut, and the combination lock spun several times. The corresponding private key is the combination that can reopen the safe and retrieve the document. In other words, only the person who holds the private key can recover a document encrypted using the associated public key.

The procedure for encrypting and decrypting documents is straightforward with this mental model. If you want to encrypt a message to Alice, you encrypt it using Alice’s public key, and she decrypts it with her private key. If Alice wants to send you a message, she encrypts it using your public key, and you decrypt it with your private key. (from The GNU Privacy Handbook)

To protect our data in the cloud, we can encrypt our sensitive documents with our own public keys before uploading them. We can then decrypt these documents with our corresponding private keys which can be further protected by a strong password. To peep the encrypted files, someone will have to have both physical access to the private key and the correct password.

Get the Tools Ready

The GNU Privacy Guard (GnuPG) is a superb implementation of OpenPGP standard, which is historically from the famous Pretty Good Privacy (PGP). PGP can be used to sign, encrypt and decrypt documents, directories, and even entire hard disk partitions, as well as to authenticate emails with digital signatures.

GnuPG supports a variety of encryption schemes, paired keys and digital sinatures. It features a convenient key management system and access modules for public key directories. It’s a command line tool with features for easy integration with other applications such as Emacs package EasyPG.

GnuPG has quite a few frontends (applications with graphic interfaces) for various operating systems. On Microsoft Windows OS you have Gpg4win; on Mcs OS you have GPGTools for best OS integration. If you are only after a slim command line tool with minimum footprints, or only want to integrate cryptographic options into your own workflow, GnuPG from Homebrew should be more than adequate. Let’s get started.

Generate a Keypair

To verify GnuPG installation, issue the command

gpg --version

You should see something similar to this: GnuPG
version

To create a new primary keypair:

gpg --gen-key

GnuPG Screenshot

Here the DSA is the primary keypair type which can only be used to make signatures. Elgamal subordinate keypair is the one for message encryption. In most cases the default option is the one you want.

You will then be prompted to set the following attributes for the keypair: size of the key, expiration date, real name, comment and email address. The email address can be used as key specifier later. Some of the info cannot be edited once the keypair is created so type in carefully.

Generate a Revocation Certificate

If you forget your password or your private key is compromised, a revocation certificate can be used to revoke your public key so no one can use it to encrypt messages to you anymore. This may be vital to email communications but it does little with file encryption, as spooks can always decrypt encrypted files if they get hold of your private key and password.

gpg --output revoke.txt --gen-revoke key-specifier

Here key-specifier can be any part of the User ID which identifies your keypair. E.g. the email address used to create the keypair would be a good choice.

You should print out your revocation certificate, take a photo of it, disguise the photo and then upload it to a safe place. Of course don’t forget to delete the revoke.txt file permanently from your computer!

Deploy & backup keys

In order to be able to view the encrypted files on all your computers, the keypair needs to be deployed onto every machine. This also means you have multiple backups of your key across different computers. If you ever lose one of the computers, the encrypted data is still accessible.

List all keypairs

To see all the keypairs in your operating system, issue the command below. It would list them all and the uid of each.

gpg --list-keys

Export public key

Use the --export option to export the public key. The exported key file will be in binary format by default.

gpg --output public-key.pk --export key-identifier
# Use the email address you used to create the key as key-identifier

If you need to send the key though email or copy it to clipboard, add the --armor option to export it in plain ASCII text.

gpg --output public-key.txt --export --armor key-identifier

Export private key

Use the --export-secret-key option to export any private keys. As with public keys, use option --armor to export in plain text. Actually any output from GnuGP can be decorated with --armor. E.g. we can encrypt a binary file such as picture and get an encrypted plain ASCII text output. For more information, ask for help from our good old friend man.

gpg --output private-key.pk --export-secret-key --armor key-identifier

Deploy keypair onto other computers

Copy the exported private key (binary or plain text) onto the destination computer; make sure the new machine has GunPG installed. To import a key, use the --import option.

gpg --import private-key.pk

Issue command gpg --list-keys to confirm that the keypair has been successfully imported.

The corresponding public key will be available on the new machine once its private key is imported. You can import someone’s public key without knowing their private key.

Verify the imported keys

All the imported public keys must be validated by verifying the keys’ fingerprints and then signing them. However if the corresponding private keys have also been imported then you only need to set the trust level.

gpg --edit-key key-identifier

The above command will list the details of the key and also put you into an interactive editing mode. Type in trust to set the trust level, if you truly trust yourself then set the trust level to ultimate. Issue quit to quit the interactive mode.

Now everything is setup and you are ready to hide all your secrets!

Encrypt & decrypt documents

The --encrypt option can be used to encrypt a document.

gpg --output secret.jpg.gpg --encrypt  \
  --recipient john@smith.com secret.jpg

Here we encrypted secret.jpg with John’s public key (assume john@smith.com is the associated email address for John’s keypair). The output would be secret.jpg.gpg which can only be decrypted by John’s private key. The added bonus is that if we need to communicate the file though email or other network protocols, we can use the previously mentined --armor option to output the file as secret.jpg.txt so our picture will look like this:

-----BEGIN PGP MESSAGE----- Version:
GnuPG v1.4.7

hQIOAxdwc3QWykEfEAf9E9N87ZPXrOVGyo02ia3lRbuW9vLqvMKtjrAhlRXb7T1n
ZwtXnR5sL7/i6eoza4IgoEwUWWL5Tj32qSRsVzTJYI0gvLyTIT21VjLCdwHiOwh/
9+usSejFkH39nutPtZ4DV32hNjYWa9vlQaKD5um/jT+Ac18UlIR/d5/BO0CCMvf4
H1H+qCgR8BrixE7It0xtRujv/AYRr+4QVThV2vB9xYlxwvDZVXM2kXrI17Y6l3PD
R4bfXAOiQbTYgtgPvMcsZqCkBxDYARRUP8JkupGB5LNALbiaLoCwHjbdisShbmMO
9fYdH4FgW5AgLViRZIM/E95W/FhmZBb0WHmOIFbDpwf+PCVAIg3ISgJbpQFwOMbQ
LpilsUj4pGlUZ45Qm2pq/m1D4uQuETKhGqEP+C29+ndPKrs5/Wc5AhMfnS3mWiDy
zxEyvaMiHeQB7C8SZ3WoEVOFO0fmVxd6X+7EG+PxJ0+SePV0c7WGfg8p2xuEEq7Y
bdzJGccbisn+RDN5TlFVUgZ4tQ3//hMZDhurLRmgP3bFdAgmdPvJZnNv4BGC2sJV
Zzt8tODrKlXqgrwVdSRsXw8trtW0cdiYBcHGCZ8OkM8Q6N2ClXDlY61sHV2KOuyL
a57AnoEwLxnltvXT+KzYUruG5pp3JqeBcRoNkdm9zPmqjUeIuNJ4nb5gpsVA9QzG
bXF3T14Te+KRC3UttP5NbdZ8H+Mq2vjo98FyKdpBSTr5Qs2HTybxZ4ZeZN6g6w4y
11GTIzkOESr0zydnThyLDn7JMs6yhAy6A5Jv59MMLFlVuvTOY01aNrQPJpW6nZG+
fbNbPkvzrEH3TK1Ehw==
=1PP1
-----END PGP MESSAGE-----

To decrypt a message use --decrypt:

gpg --output secret.jpg --decrypt secret.jpg.gpg

GnuPG You will be prompted to enter the password for your private key.

What’s next?

This open note focuses on the basic usage of GnuPG commands to give readers an insight of PGP encryption. In reality, if you are not a savvy shell user, it is not practical to encrypt/decrypt and manage a large amount of files in this way. Most frontends provide more user-friendly Graphic User Interface (GUI) as well as additional bells and whistles to simplify the encryption/decryption process.