Emacs comes with a package called
which GnuPG based cryptographic operations become
seamless. It can operate on regions as well as files. It also provides good
Commands such as
save-buffer on any
*.gpg file will be dealt
with by EasyPG automatically. You can customise this behaviour by modifying the
epa-file-name-regexp variable to any pattern you wish. It is Emacs after all.
EasyPG commands all start with
epa-, most of them are pretty
epa-encrypt-region encrypts a marked region in the
EasyPG uses symmetric
encryption by default,
which will ask you to set a password when a new
.gpg file is saved. The
encrypted file can then be decrypted using the same password. If you prefer
with added security, instead just save file with
C-x C-s, you can use
epa-file-select-key to get a list of keys in your system and select the
recipient’s public key for encryption.
Real world usage examples
Sensitive information such as usernames and passwords for online logins, software licence keys and financial figures should be kept secret. They should be stored with a disaster recovery storage strategy in case of data corruption or hardware failure. One accessible method would be putting them in a plain text file, encrypting the file and then throwing it in Dropbox or a git repository, and then you can forget about it.
Org-mode is unbeatable for organising notes and simple tabular data in plain text files.
Saving the file as
passwords.org.gpg, you will be asked to either set up a
password for the file or select the recipient’s public key for encryption -
depending on your EasyPG settings. In this use case you are the sole ‘recipient’
of the encrypted message - why would you want to share all your passwords with
Try to open the file with Emacs, you will be asked to type in the password:
Tips: make sure you choose a strong password ONLY for encrypting the password list, and don’t use it anywhere else. If you prefer public-key encryption, use strong and unique passwords for each private key as well.
epa-encrypt-region you can encrypt sensitive sections of a file and share
the rest of the document with others. E.g. sharing your notes on how to setup a
computer but not the license keys of applications.
Imagine you need to share the below project plan with a colleague.
You probably don’t want to share the serial numbers and the credit card
details. Select the regions you don’t want to share and issue
epa-encrypt-region, type your password, you would end up with a file like this:
Toggle the outline mode, it still looks nice and clean.
It’s always a good practice to encrypt sensitive info even you are the only one who will ever read it, otherwise it can easily lead to embarrassment, identity fraud or more devastating disasters if your computer is compromised.
To decrypt the encrypted parts, just select the PGP messages and issue
Having to type the password in every time when you open a file can quickly get
tedious. Fortunately GnuPG provides an utility called
gpg-agent which can
cache passwords for a pre-defined period of time. EasyPG can remember your
password for symmetric encryption.
Credentials caching can get complicated depending on which version of GnuPG you have in your system and the encryption methods your employ. It’s best to consult relevant documentation for detailed instructions.
To use Emacs 25+ with GnuPG 2.1.x and above, set the below in your Emacs init file:
(setq epg-gpg-program "gpg2") (setf epa-pinentry-mode 'loopback)
The added bonus is now that Emacs will cache the password for a short period of time automatically without a GUI pinentry.