Keeping your secrets secret

As much as i try to avoid it, i always end up with lots of usernames and passwords to remember, not to mention a couple of bank accounts and a credit card number for on-line shopping. There’s no way i’m going to remember any of them—why, i even need to keep track of my telephone number. Time to write down a tidy nice little list, that is, time to look for and set up an adequate emacs mode or two.

When it comes to keeping lists, the table editor of org-mode is what you need. Org-mode is included in emacs 22, but Carsten &co. keep adding new stuff and fixing bugs, so it won’t hurt you to get the unstable version from its website. It comes with a nice manual and installing it is a freeze. You enter table mode by typing a vertical bar (|) to separate columns:

  * Bank accounts
    |Account | Credit card | Expiry date | Password |
    |-

From there TAB and RET are your friends: new rows are created and column widths adjusted automagically. You can also add separators by starting a line with |- (as i did above) and typing TAB. In no time you'll have something like this:

* Banks

  |-----------------+------------------+----------|
  | Account         | Credit card      | password |
  |-----------------+------------------+----------|
  | The credit box  | 8180819999999333 | fooo     |
  | GNU Free Credit | 6969696969696969 | boobarp  |
  | Engineering Safe| 0000000111111111 | passwdd  |
  | paypal          |                  | paaassss |
  |-----------------+------------------+----------|

* Sites

  |-------------------------------+------------------------+
  | site                          | user        | password |
  |-------------------------------+------------------------+
  | http://www.gnu.org            | a user name | password |
  | http://journals.foo.org       | a user name | password |
  | http://philosophy.org         | a user name | password |
  | http://linkedin.com           | a user name | password |
  | http://www.pragpro.com        | a user name | password |
  | http://www.tug.org/members    | a user name | password |
  |-------------------------------+------------------------+

* Source code repositories...

All in conveniently foldable sections, so that you can expand only the interesting section.

But, of course, you don't want to save this as a regular file (let alone publish it on the internet). Even on a Unix machine, protecting it via file permissions is very weak. Nah, what you want is to encrypt the thing. To that end, one can use public key cryptography.

In a nutshell, you generate a pair of keys: one of them is private, only for your eyes, and therefore should be protected by a solid password; the other one is public: you make it available to anyone that wants to communicate with you. People then write their secret text and encrypt it using the public key. When that's done, only your secret key (barring the NSA) can decipher the text. Of course, nothing prevents you from using the same device to encrypt and decrypt your passwords file.

This being an emacs blog, i won't delve into the details of using GnuPG to create a key pair if you don't already have it. But you being an emacs user, i'm sure you'll be quite able to run gpg --key-gen to generate your keys.

You could now use gpg to manually cipher and decipher the passwords file, but, you know, one uses emacs because it can do almost any thing for you. In this case, EasyPG will take care of the chore of decrypting the file every time you open it and encrypting it back when it goes to disk. The EasyPG package comes bundled with emacs 23, and, again, it is very easy to install if you are using previous emacs versions. This is the configuration i use for this package:

;; Emacs 23: bundled EasyPG
(require 'epa)
(epa-file-enable)

or, if you installed it externally:

;; EasyPG installed in path/to/epg
(add-to-list 'load-path "path/to/epg")
(require 'epa-setup)
(epa-file-enable)

(Yeah, it's called easy for a reason!) With this magic incantation in place, every time you open a file with the extension .gpg, EasyPG will do the work for you.

So, all that is left to do is to save our file as, say, dobeedoo.gpg and inform emacs that we want to open it as an org-mode file by adding the following first line to it:

-*- mode: org -*- -*- epa-file-encrypt-to: ("my_key_email@foo.org") -*-

As you can see, we're also telling EasyPG what key it should use for its cryptographic activities.

That's it. No rocket science here, but very handy nonetheless, and a very nice example of how different major (org) and minor (org-table, epa) emacs modes can work together for you. A perfect use case of minor modes providing functionality orthogonal to that in the major mode, which is caring about the actual file contents. Personally, this is also the use case that got me started with org-mode: may it enlighten you too :)

Happy encrypting!

(BTW, now that you have EasyPG installed, try M-x epa-list-keys, a nice keyring browser, if you ask me.)

About these ads

21 Responses to “Keeping your secrets secret”

  1. Bob Erb Says:

    Excellent. Thank you.

  2. Bob Erb Says:

    One point to note; with just

    (add-to-list ‘load-path “path/to/epg”)

    (require ‘epa)
    (epa-file-enable)

    as above, I got an error complaining about epa-file-enable being undefined. Replacing “(require ‘epa)” with “(require ‘epa-setup)” fixed that. (EasyPG v.0.0.16)

  3. links for 2008-07-20 « that dismal science Says:

    [...] Keeping your secrets secret « minor emacs wizardry (tags: emacs security gpg pgp gnupg) [...]

  4. jrcapa Says:

    jao: the file variable syntax you used failed for me.
    i had to use -*- mode: org; epa-file-encrypt-to: (“jrcapa@gmail.com”) -*- instead.

  5. Ryan McGuire Says:

    Awesome Tip!

    Some things I’ve noticed:

    1) Org mode is automatically enabled for any file with “.org.” in the filename so if I save my file as “passwords.org.gpg” org mode is automatically used everytime.

    2) I have to pick the recipient’s public key the first time I save the file but on subsequent opening and saving of the file it knows the right thing to do.

    So I have not had a usecase for the magic first line (whatever that’s called).

  6. Vinod Kurup Says:

    I’ve been meaning to learn how emacs and gpg work together. Thanks. BTW, I think –key-gen should be –gen-key

  7. Tuss Says:

    Saving works for me, but I can’t open the file; easypg just gets stuck at /home/liquidraven/db: 0% (0/818) until I abort it with C-g.

  8. Suresh R Says:

    Very useful tip!! I have a “passwords” file and I’ve been looking for such a solution for a while (obviously not very hard :). Thanks!

  9. b7j0c Says:

    some notes for people having problems:

    here is my .emacs snippet for epa:

    (require ‘epa)
    (epa-file-enable)
    (setq epg-gpg-program “gpg”)

    NOTE – if you set gpg to gpg2, you will have problems on decryption. see:

    http://article.gmane.org/gmane.emacs.devel/97198

    sounds like for now you want both gpg and gpg2 installed. fortunately they are named so you can have both installed simultaneously

  10. Jones Says:

    Do you know how to get gnus to handle a gpg’ed .authinfo file?

  11. Kenneth Geisshirt Says:

    I have been looking for a way to encrypt some of my ORG files and you provide the solution. Thanks!

  12. I think you mean... Says:

    “installing it is a breeze”. Although given the weather at the moment, maybe you’re right.

  13. Herostratus’ legacy » User accounts management Says:

    [...] This post is heavily inspired in Keeping your secrets secret. [...]

  14. Alex (stsquad) 's status on Thursday, 13-Aug-09 13:35:40 UTC - Identi.ca Says:

    [...] Keeping your secrets secret « minor emacs wizardry [...]

  15. Memnon Says:

    Update
    Now, parts of outlines can be conveniently encrypted.
    No need to have a separated file for your passwords, just put
    them where they belong in your org universe.
    See: org-crypt.el by John Wiegley in the contrib directory and
    http://doc.norang.ca/org-mode.html#HandlingEncryption.

  16. Scott Says:

    Recently I’ve seen the GNU emacs installation on my Macbook stop asking for the passphrase when I open a GPG encrypted file. It still asks on save but it seems to automatically decrypt the file when opened.

    Just tested and it doesn’t happen in Aquamacs. Aquamacs still asks for the passphrase.

    Anyone have any thoughts?

  17. A Tale of Two Security Scandals | Irreal Says:

    [...] text documents, as I do, you can make this basically transparent by using epa (EasyPG) as described here and here. If you use public key encryption and don’t encrypt the key on your computer, the [...]

  18. Diceware Implementation (Part 2) | Irreal Says:

    [...] or deal with third party software, you can keep them in an encrypted Org file as explained in this Minor Emacs Wizardry post. This is what I do and it works out fine except that it isn’t integrated into my Web [...]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: