Simon Braß

Home-Office Physicist
Atom Icon - atom by Erin Agnoli from the Noun Project

Easier encryption with EasyPG and Org-mode

<2020-11-12 Thu>

When it comes to secrets, encryption is a must. Especially, if you are working with an portable computer device or on a shared file-system provided by your company. The obvious choice at hand is to encrypt the data of your entire system, if capable - there are several ways, for example see the Archlinux wiki page. However, full encryption requires sufficient knowledge and experience, access and privileges. Furthermore, full encryption does not equal a full security guarantee for several reasons. The security premise is only as strong as your chosen passphrase (or key plus pass phrase) for the encryption. And, after the system is decrypted, your data is in plain sight for every attacker, giving any attacker an easy job to hijack your data on any portable and running, i.e. decrypted, computer device - Game Over.

Another scenario: shared file-system, e.g. AFS or NFSv4. If you are not crucially careful with your permissions (using POSIX or ACLs), other accounts (including those with escalated privileges) may be (mis-)used to access and read you data. Without any malicious intent towards any colleague, any account may be targeted. In any case, a typical and simple attack vectors is a weak pass phrase, or reused and exposed one, and so on.

In my case, I have a simpler problem: I want to encrypt single text files with sensitive content, e.g. my Leager journal, on any kind of system, including my office desktop or my laptop, and have it secure in my backups.1 The state of art is to use GnuPG plus a symmetric/anti-symmetric key(pair) with a strong and unique passphrase only used for this single case.2 Therefore, I should learn how to struggle best with a somehow terrific and unintelligible command-line interface. However, I also work with Emacs.

Every recent Emacs comes with the EasyPG package.3 In order to use it, you need to require the package, or, like in my case, you just use Spacemacs and the package will be required within the Spacemacs layer. EasyPG implements and smooths the interaction between Emacs and GnuPG, in principle, without any manual interaction, beside typing the key passphrase. If you open any kind of file with a gpg extension, Emacs does all the magic interacting with GnuPG using the EasyPG interface. For the other way around, encrypting a file, we provide a property line:

# -*- mode:org; epa-file-encrypt-to: ("[email protected]") -*-

and save the file with a gpg extension. In the above example, we also set the mode, explicitly.

And it gets even more comfortable: you can combine encryption with Org-mode on an internal file level.4 Following along the lines of https://orgmode.org/manual/Org-Crypt.html, we can encrypt every subtree by adding :crypt: as tag. Each file saving triggers the encryption of any entry associated with the :crypt: tag.

For more details, I refer to the EasyPG manual.



My "usual" backups exclude my private keys. They do not tend to change often, so I back them up once separately and in a more paranoid way than placing them directly on a hard drive.


Passphrases for accounts of every kind tend to be reused, or written down on paper, or whatever. However, this passphrase needs to be safe on a nuclear weaponry level. You only need a good working memory muscle for this.

Simon Braß ([email protected])

Created: 12 Nov 2020 and last modified: 2020-12-17 Thu 17:54

Emacs 27.2 (Org mode 9.4.4)