Emacs comes with a package called
which GnuPG based cryptographic operations become
seamless. It can operate on regions as well as files. It also provides good
dired and mail-mode integration.
Commands such as find-file and save-buffer on any *.gpg file will be dealt
with by EasyPG automatically. You can customise this behaviour by modifying the
epa-file-name-regexp variable to any pattern you wish. It is Emacs after all.
GnuPG is GNU’s implementation of
OpenPGP standard. In
the post Data encryption with
GnuPG, I covered how to use
GnuPG in detail. Make sure to check it out if you are not familiar with GnuPG.
EasyPG commands all start with epa-, most of them are pretty
self-explanatory. E.g. epa-encrypt-region encrypts a marked region in the
EasyPG uses symmetric
encryption by default,
which will ask you to set a password when a new .gpg file is saved. The
encrypted file can then be decrypted using the same password. If you prefer
with added security, instead just save file with C-x C-s, you can use
epa-file-select-key to get a list of keys in your system and select the
recipient’s public key for encryption.
Real world usage examples
Sensitive information such as usernames and passwords for online logins,
software licence keys and financial figures should be kept secret. They should
be stored with a disaster recovery storage strategy in case of data corruption
or hardware failure. One accessible method would be putting them in a plain text
file, encrypting the file and then throwing it in Dropbox or a git repository,
and then you can forget about it.
Org-mode is unbeatable for organising notes and simple
tabular data in plain text files.
Saving the file as passwords.org.gpg, you will be asked to either set up a
password for the file or select the recipient’s public key for encryption -
depending on your EasyPG settings. In this use case you are the sole ‘recipient’
of the encrypted message - why would you want to share all your passwords with
Try to open the file with Emacs, you will be asked to type in the password:
Tips: make sure you choose a strong password ONLY for encrypting the password
list, and don’t use it anywhere else. If you prefer public-key encryption, use
strong and unique passwords for each private key as well.
With epa-encrypt-region you can encrypt sensitive sections of a file and share
the rest of the document with others. E.g. sharing your notes on how to setup a
computer but not the license keys of applications.
Imagine you need to share the below project plan with a colleague.
You probably don’t want to share the serial numbers and the credit card
details. Select the regions you don’t want to share and issue M-x
epa-encrypt-region, type your password, you would end up with a file like this:
Toggle the outline mode, it still looks nice and clean.
It’s always a good practice to encrypt sensitive info even you are the only one
who will ever read it, otherwise it can easily lead to embarrassment, identity
fraud or more devastating disasters if your computer is compromised.
To decrypt the encrypted parts, just select the PGP messages and issue
Having to type the password in every time when you open a file can quickly get
tedious. Fortunately GnuPG provides an utility called gpg-agent which can
cache passwords for a pre-defined period of time. EasyPG can remember your
password for symmetric encryption.
Credentials caching can get complicated depending on which version of GnuPG you
have in your system and the encryption methods your employ. It’s best to consult
relevant documentation for detailed instructions.
To use Emacs 25+ with GnuPG 2.1.x and above, set the below in your Emacs init file:
After working with hundreds of legacy websites during my early web development
years, I’ve learnt not to trust any small e-commerce sites written in the last
century, nor any website from which I can retrieve password in plain text. Even
worse, now I start losing faith in the big boys who fail to guide their users
and Dropbox to name a few -
some of them have always vowed to treat security as top priority.
It’s not only that that worries me, what about my personal notes stored in the
cloud? Someone out there has access to them. Although cloud computing privacy
it is nowhere near being regulated or enforced; actually it’s quite the
keeping data only on your physical devices sounds a terrible idea. Hard disks
could die on you abruptly; thieves could break in and smash your computer and
backups; fire could burn the whole city to the ground. The list can go on and
on, putting data in the cloud at least makes our digital possessions immune to
the hence mentioned devastating disasters.
Encrypt data with GnuPG
From deliberately changing file extension to zipping sensitive info with
password, rudimentary tricks can certainly provide some level of security
against novice users. But for experienced techies, these obstacles can easily be
lifted with a £500 laptop from Currys within a matter of minutes.
To protect our privacy, We can use Public-key
cryptography to encrypt
any file, both on our own hard drivers and in the cloud.
A public and private key each have a specific role when encrypting and
decrypting documents. A public key may be thought of as an open safe. When a
correspondent encrypts a document using a public key, that document is put in
the safe, the safe shut, and the combination lock spun several times. The
corresponding private key is the combination that can reopen the safe and
retrieve the document. In other words, only the person who holds the private key
can recover a document encrypted using the associated public key.
The procedure for encrypting and decrypting documents is straightforward with
this mental model. If you want to encrypt a message to Alice, you encrypt it
using Alice’s public key, and she decrypts it with her private key. If Alice
wants to send you a message, she encrypts it using your public key, and you
decrypt it with your private key. (from The GNU Privacy
To protect our data in the cloud, we can encrypt our sensitive documents with
our own public keys before uploading them. We can then decrypt these documents
with our corresponding private keys which can be further protected by a strong
password. To peep the encrypted files, someone will have to have both physical
access to the private key and the correct password.
Get the Tools Ready
The GNU Privacy Guard (GnuPG) is a superb implementation
of OpenPGP standard,
which is historically from the famous Pretty Good Privacy
(PGP). PGP can be used to
sign, encrypt and decrypt documents, directories, and even entire hard disk
partitions, as well as to authenticate emails with digital signatures.
GnuPG supports a variety of encryption schemes, paired keys and digital sinatures.
It features a convenient key management system and access modules for public key
directories. It’s a command line tool with features for easy integration with
other applications such as Emacs package
GnuPG has quite a few
(applications with graphic interfaces) for various operating systems. On
Microsoft Windows OS you have Gpg4win; on Mcs OS you
have GPGTools for best OS integration. If you
are only after a slim command line tool with minimum footprints, or only want to
integrate cryptographic options into your own workflow, GnuPG from
Homebrew should be more than adequate. Let’s
Generate a Keypair
To verify GnuPG installation, issue the command
You should see something similar to this:
To create a new primary keypair:
Here the DSA is the primary keypair type which can only be used to make
signatures. Elgamal subordinate keypair is the one for message encryption. In
most cases the default option is the one you want.
You will then be prompted to set the following attributes for the keypair: size
of the key, expiration date, real name, comment and email address. The email
address can be used as key specifier later. Some of the info cannot be edited
once the keypair is created so type in carefully.
Generate a Revocation Certificate
If you forget your password or your private key is compromised, a revocation
certificate can be used to revoke your public key so no one can use it to
encrypt messages to you anymore. This may be vital to email communications but
it does little with file encryption, as spooks can always decrypt encrypted
files if they get hold of your private key and password.
Here key-specifier can be any part of the User ID which identifies your
keypair. E.g. the email address used to create the keypair would be a good
You should print out your revocation certificate, take a photo of it, disguise
the photo and then upload it to a safe place. Of course don’t forget to delete
the revoke.txt file permanently from your computer!
Deploy & backup keys
In order to be able to view the encrypted files on all your computers, the
keypair needs to be deployed onto every machine. This also means you have
multiple backups of your key across different computers. If you ever lose one of
the computers, the encrypted data is still accessible.
List all keypairs
To see all the keypairs in your operating system, issue the command below. It would
list them all and the uid of each.
Export public key
Use the --export option to export the public key. The exported key
file will be in binary format by default.
gpg --output public-key.pk --export key-identifier
# Use the email address you used to create the key as key-identifier
If you need to send the key though email or copy it to clipboard, add the
--armor option to export it in plain ASCII text.
Use the --export-secret-key option to export any private keys. As with public keys, use option
--armor to export in plain text. Actually any output from GnuGP can be decorated with
--armor. E.g. we can encrypt a binary file such as picture and get
an encrypted plain ASCII text output. For more information, ask for help from our
good old friend man.
Copy the exported private key (binary or plain text) onto the destination
computer; make sure the new machine has GunPG installed. To import a key,
use the --import option.
gpg --import private-key.pk
Issue command gpg --list-keys to confirm that the keypair has been
The corresponding public key will be available on the new machine once its
private key is imported. You can import someone’s public key without knowing
their private key.
Verify the imported keys
All the imported public keys must be validated by verifying the keys’
fingerprints and then signing them. However if the corresponding private keys
have also been imported then you only need to set the trust level.
gpg --edit-key key-identifier
The above command will list the details of the key and also put you into an
interactive editing mode. Type in trust to set the trust level, if you truly
trust yourself then set the trust level to ultimate. Issue quit to quit the
Now everything is setup and you are ready to hide all your secrets!
Encrypt & decrypt documents
The --encrypt option can be used to encrypt a document.
Here we encrypted secret.jpg with John’s public key (assume firstname.lastname@example.org
is the associated email address for John’s keypair). The output would be
secret.jpg.gpg which can only be decrypted by John’s private key. The added
bonus is that if we need to communicate the file though email or other network
protocols, we can use the previously mentined --armor option to output the
file as secret.jpg.txt so our picture will look like this:
You will be prompted to enter the password for your private key.
This open note focuses on the basic usage of GnuPG commands to give readers an
insight of PGP encryption. In reality, if you are not a savvy shell user, it is
not practical to encrypt/decrypt and manage a large amount of files in this
way. Most frontends
provide more user-friendly Graphic User Interface (GUI) as well as additional
bells and whistles to simplify the encryption/decryption process.