Keeping your secrets secret

July 18, 2008 — jao

As much as i try to avoid it, i always end up with lots of usernames and passwords to remember, not to mention a couple of bank accounts and a credit card number for on-line shopping. There’s no way i’m going to remember any of them—why, i even need to keep track of my telephone number. Time to write down a tidy nice little list, that is, time to look for and set up an adequate emacs mode or two.

When it comes to keeping lists, the table editor of org-mode is what you need. Org-mode is included in emacs 22, but Carsten &co. keep adding new stuff and fixing bugs, so it won’t hurt you to get the unstable version from its website. It comes with a nice manual and installing it is a freeze. You enter table mode by typing a vertical bar (|) to separate columns: 

  * Bank accounts
    |Account | Credit card | Expiry date | Password |
    |-

From there TAB and RET are your friends: new rows are created and column widths adjusted automagically. You can also add separators by starting a line with |- (as i did above) and typing TAB. In no time you’ll have something like this: 

* Banks

  |-----------------+------------------+----------|
  | Account         | Credit card      | password |
  |-----------------+------------------+----------|
  | The credit box  | 8180819999999333 | fooo     |
  | GNU Free Credit | 6969696969696969 | boobarp  |
  | Engineering Safe| 0000000111111111 | passwdd  |
  | paypal          |                  | paaassss |
  |-----------------+------------------+----------|

* Sites

  |-------------------------------+------------------------+
  | site                          | user        | password |
  |-------------------------------+------------------------+
  | http://www.gnu.org            | a user name | password |
  | http://journals.foo.org       | a user name | password |
  | http://philosophy.org         | a user name | password |
  | http://linkedin.com           | a user name | password |
  | http://www.pragpro.com        | a user name | password |
  | http://www.tug.org/members    | a user name | password |
  |-------------------------------+------------------------+

* Source code repositories...

All in conveniently foldable sections, so that you can expand only the interesting section.

But, of course, you don’t want to save this as a regular file (let alone publish it on the internet). Even on a Unix machine, protecting it via file permissions is very weak. Nah, what you want is to encrypt the thing. To that end, one can use public key cryptography.

In a nutshell, you generate a pair of keys: one of them is private, only for your eyes, and therefore should be protected by a solid password; the other one is public: you make it available to anyone that wants to communicate with you. People then write their secret text and encrypt it using the public key. When that’s done, only your secret key (barring the NSA) can decipher the text. Of course, nothing prevents you from using the same device to encrypt and decrypt your passwords file.

This being an emacs blog, i won’t delve into the details of using GnuPG to create a key pair if you don’t already have it. But you being an emacs user, i’m sure you’ll be quite able to run gpg --key-gen to generate your keys.

You could now use gpg to manually cipher and decipher the passwords file, but, you know, one uses emacs because it can do almost any thing for you. In this case, EasyPG will take care of the chore of decrypting the file every time you open it and encrypting it back when it goes to disk. The EasyPG package comes bundled with emacs 23, and, again, it is very easy to install if you are using previous emacs versions. This is the configuration i use for this package:

;; Emacs 23: bundled EasyPG
(require 'epa)
(epa-file-enable)

or, if you installed it externally:

;; EasyPG installed in path/to/epg
(add-to-list 'load-path "path/to/epg")
(require 'epa-setup)
(epa-file-enable)

(Yeah, it’s called easy for a reason!) With this magic incantation in place, every time you open a file with the extension .gpg, EasyPG will do the work for you.

So, all that is left to do is to save our file as, say, dobeedoo.gpg and inform emacs that we want to open it as an org-mode file by adding the following first line to it:

-*- mode: org -*- -*- epa-file-encrypt-to: ("my_key_email@foo.org") -*-

As you can see, we’re also telling EasyPG what key it should use for its cryptographic activities.

That’s it. No rocket science here, but very handy nonetheless, and a very nice example of how different major (org) and minor (org-table, epa) emacs modes can work together for you. A perfect use case of minor modes providing functionality orthogonal to that in the major mode, which is caring about the actual file contents. Personally, this is also the use case that got me started with org-mode: may it enlighten you too 🙂

Happy encrypting!

(BTW, now that you have EasyPG installed, try M-x epa-list-keys, a nice keyring browser, if you ask me.)

Posted in Packages, Tips & tricks. 21 Comments »

21 Responses to “Keeping your secrets secret”

  1. Bob Erb Says:
    July 19, 2008 at 3:44 am

    Excellent. Thank you.

    Reply
  2. Bob Erb Says:
    July 19, 2008 at 3:50 am

    One point to note; with just

    (add-to-list ‘load-path “path/to/epg”)

    (require ‘epa)
    (epa-file-enable)

    as above, I got an error complaining about epa-file-enable being undefined. Replacing “(require ‘epa)” with “(require ‘epa-setup)” fixed that. (EasyPG v.0.0.16)

    Reply
  3. links for 2008-07-20 « that dismal science Says:
    July 20, 2008 at 4:37 pm

    […] Keeping your secrets secret « minor emacs wizardry (tags: emacs security gpg pgp gnupg) […]

    Reply
  4. jrcapa Says:
    July 21, 2008 at 7:59 pm

    jao: the file variable syntax you used failed for me.
    i had to use -*- mode: org; epa-file-encrypt-to: (“jrcapa@gmail.com”) -*- instead.

    Reply
  5. Ryan McGuire Says:
    July 24, 2008 at 1:05 am

    Awesome Tip!

    Some things I’ve noticed:

    1) Org mode is automatically enabled for any file with “.org.” in the filename so if I save my file as “passwords.org.gpg” org mode is automatically used everytime.

    2) I have to pick the recipient’s public key the first time I save the file but on subsequent opening and saving of the file it knows the right thing to do.

    So I have not had a usecase for the magic first line (whatever that’s called).

    Reply
  6. Vinod Kurup Says:
    July 28, 2008 at 1:07 am

    I’ve been meaning to learn how emacs and gpg work together. Thanks. BTW, I think –key-gen should be –gen-key

    Reply
  7. Tuss Says:
    July 30, 2008 at 11:19 am

    Saving works for me, but I can’t open the file; easypg just gets stuck at /home/liquidraven/db: 0% (0/818) until I abort it with C-g.

    Reply
  8. Suresh R Says:
    August 7, 2008 at 6:21 pm

    Very useful tip!! I have a “passwords” file and I’ve been looking for such a solution for a while (obviously not very hard :). Thanks!

    Reply
  9. b7j0c Says:
    August 13, 2008 at 4:18 am

    some notes for people having problems:

    here is my .emacs snippet for epa:

    (require ‘epa)
    (epa-file-enable)
    (setq epg-gpg-program “gpg”)

    NOTE – if you set gpg to gpg2, you will have problems on decryption. see:

    http://article.gmane.org/gmane.emacs.devel/97198

    sounds like for now you want both gpg and gpg2 installed. fortunately they are named so you can have both installed simultaneously

    Reply
  10. Jones Says:
    September 8, 2008 at 10:50 pm

    Do you know how to get gnus to handle a gpg’ed .authinfo file?

    Reply
  12. Kenneth Geisshirt Says:
    November 13, 2008 at 11:21 am

    I have been looking for a way to encrypt some of my ORG files and you provide the solution. Thanks!

    Reply
  14. I think you mean... Says:
    January 19, 2009 at 9:08 am

    “installing it is a breeze”. Although given the weather at the moment, maybe you’re right.

    Reply
  15. Herostratus’ legacy » User accounts management Says:
    February 1, 2009 at 9:00 am

    […] This post is heavily inspired in Keeping your secrets secret. […]

    Reply
  17. Alex (stsquad) 's status on Thursday, 13-Aug-09 13:35:40 UTC - Identi.ca Says:
    August 13, 2009 at 1:35 pm

    […] Keeping your secrets secret « minor emacs wizardry […]

    Reply
  18. Memnon Says:
    March 26, 2010 at 1:51 am

    Update
    Now, parts of outlines can be conveniently encrypted.
    No need to have a separated file for your passwords, just put
    them where they belong in your org universe.
    See: org-crypt.el by John Wiegley in the contrib directory and
    http://doc.norang.ca/org-mode.html#HandlingEncryption.

    Reply
  19. Scott Says:
    August 20, 2010 at 11:38 pm

    Recently I’ve seen the GNU emacs installation on my Macbook stop asking for the passphrase when I open a GPG encrypted file. It still asks on save but it seems to automatically decrypt the file when opened.

    Just tested and it doesn’t happen in Aquamacs. Aquamacs still asks for the passphrase.

    Anyone have any thoughts?

    Reply
  20. A Tale of Two Security Scandals | Irreal Says:
    April 26, 2011 at 6:53 pm

    […] text documents, as I do, you can make this basically transparent by using epa (EasyPG) as described here and here. If you use public key encryption and don’t encrypt the key on your computer, the […]

    Reply
  21. Diceware Implementation (Part 2) | Irreal Says:
    August 21, 2011 at 12:25 pm

    […] or deal with third party software, you can keep them in an encrypted Org file as explained in this Minor Emacs Wizardry post. This is what I do and it works out fine except that it isn’t integrated into my Web […]

    Reply

Leave a reply to Jones Cancel reply

«

»