Saving gpg password on the file itself

Saving gpg password on the file itself

[Artur Malabarba]

I have a single encrypted file in my system, diary.org.gpg.
It's doesn't contain hugely sensitive information, and its password
does not coincide with any other password I use.

I don't want to setup a whole encryption keychain (or whatever that
stuff is called) on my system, I'm fine with typing the password once
when I open the file. The only thing that bothers me, is typing it
twice every time I save.

I'd like to keep the password written somewhere inside the file (at
the header or end-of-file comments). Then, whenever I save, Emacs
could read the password in the buffer and use that instead of
prompting me whenever I save. I understand the security implications
of that, and I'm fine with them.


My question here is just, "How can I send the password directly from
Emacs when saving the buffer, instead of being prompted for it by
gpg?"

All the rest (finding the password in the buffer) I can figure out
myself. I just got lost when trying to understand how Emacs interfaced
with gpg.


Cheers and Thanks,
Artur

Re: Saving gpg password on the file itself

[Michael Heerdegen]

Artur Malabarba <bruce.connor.am@gmail.com> writes:

> I have a single encrypted file in my system, diary.org.gpg.
> It's doesn't contain hugely sensitive information, and its password
> does not coincide with any other password I use.
>
> I don't want to setup a whole encryption keychain (or whatever that
> stuff is called) on my system, I'm fine with typing the password once
> when I open the file. The only thing that bothers me, is typing it
> twice every time I save.

I assume you are using epa.el (here it is used automatically when
working with gpg encrypted files).

As you describe your situation, I guess you could be happy with

  (setq epa-file-cache-passphrase-for-symmetric-encryption t)

You could also read (info "(epa) Caching Passphrases").


HTH,

Michael.

Re: Saving gpg password on the file itself

[Ted Zlatanov]

On Thu, 7 May 2015 10:26:43 +0100 Artur Malabarba <bruce.connor.am@gmail.com> wrote: 

AM> I don't want to setup a whole encryption keychain (or whatever that
AM> stuff is called) on my system, I'm fine with typing the password once
AM> when I open the file. The only thing that bothers me, is typing it
AM> twice every time I save.

It's simple: look at
`epa-file-cache-passphrase-for-symmetric-encryption'.  I use it in many
situations where the GnuPG agent is not available.  Just don't select a
key when you initially encrypt the .gpg file and EPA will know you mean
to use symmetric encryption.  Then you enter the passphrase once and
Emacs remembers it for the whole session.

Ted

Documentation:
If non-nil, cache passphrase for symmetric encryption.

For security reasons, this option is turned off by default and
not recommended to use.  Instead, consider using gpg-agent which
does the same job in a safer way.  See Info node `(epa) Caching
Passphrases' for more information.

Note that this option has no effect if you use GnuPG 2.0.

Re: Saving gpg password on the file itself

[Artur Malabarba]

Thanks Ted and Michael. Works great!

2015-05-07 14:42 GMT+01:00 Ted Zlatanov <tzz@lifelogs.com>:
> On Thu, 7 May 2015 10:26:43 +0100 Artur Malabarba <bruce.connor.am@gmail.com> wrote:
>
> AM> I don't want to setup a whole encryption keychain (or whatever that
> AM> stuff is called) on my system, I'm fine with typing the password once
> AM> when I open the file. The only thing that bothers me, is typing it
> AM> twice every time I save.
>
> It's simple: look at
> `epa-file-cache-passphrase-for-symmetric-encryption'.  I use it in many
> situations where the GnuPG agent is not available.  Just don't select a
> key when you initially encrypt the .gpg file and EPA will know you mean
> to use symmetric encryption.  Then you enter the passphrase once and
> Emacs remembers it for the whole session.
>
> Ted
>
> Documentation:
> If non-nil, cache passphrase for symmetric encryption.
>
> For security reasons, this option is turned off by default and
> not recommended to use.  Instead, consider using gpg-agent which
> does the same job in a safer way.  See Info node `(epa) Caching
> Passphrases' for more information.
>
> Note that this option has no effect if you use GnuPG 2.0.
>

Re: Saving gpg password on the file itself

[Artur Malabarba]

Actually, I may have spoke too soon.
On Ubuntu this does nothing. And on Arch linux this works for opening
the file but not for saving (I only get prompted the first time that I
open, but still get prompted twice every time I save).

Is this because different backends are being used on each system? Is
there a configuration variable I can use to force a backend?

2015-05-07 17:09 GMT+01:00 Artur Malabarba <bruce.connor.am@gmail.com>:
> Thanks Ted and Michael. Works great!
>
> 2015-05-07 14:42 GMT+01:00 Ted Zlatanov <tzz@lifelogs.com>:
>> On Thu, 7 May 2015 10:26:43 +0100 Artur Malabarba <bruce.connor.am@gmail.com> wrote:
>>
>> AM> I don't want to setup a whole encryption keychain (or whatever that
>> AM> stuff is called) on my system, I'm fine with typing the password once
>> AM> when I open the file. The only thing that bothers me, is typing it
>> AM> twice every time I save.
>>
>> It's simple: look at
>> `epa-file-cache-passphrase-for-symmetric-encryption'.  I use it in many
>> situations where the GnuPG agent is not available.  Just don't select a
>> key when you initially encrypt the .gpg file and EPA will know you mean
>> to use symmetric encryption.  Then you enter the passphrase once and
>> Emacs remembers it for the whole session.
>>
>> Ted
>>
>> Documentation:
>> If non-nil, cache passphrase for symmetric encryption.
>>
>> For security reasons, this option is turned off by default and
>> not recommended to use.  Instead, consider using gpg-agent which
>> does the same job in a safer way.  See Info node `(epa) Caching
>> Passphrases' for more information.
>>
>> Note that this option has no effect if you use GnuPG 2.0.
>>

Re: Saving gpg password on the file itself

[Jorge A. Alfaro-Murillo]

Artur Malabarba writes:

> Actually, I may have spoke too soon.  On Ubuntu this does 
> nothing. And on Arch linux this works for opening the file but 
> not for saving (I only get prompted the first time that I open, 
> but still get prompted twice every time I save).

On Debian with openbox it behaves like you describe it behaves on 
Arch, It would be ideal to be asked only once for the password to 
save, if you are saving with the same password.

-- 
Jorge.

Re: Saving gpg password on the file itself

[Ted Zlatanov]

On Sat, 9 May 2015 17:40:04 +0100 Artur Malabarba <bruce.connor.am@gmail.com> wrote: 

AM> Actually, I may have spoke too soon.
AM> On Ubuntu this does nothing.

What's "this"? What did you do to set up the test, then what did
actually happen, and finally what did you expect?

AM> And on Arch linux this works for opening the file but not for saving
AM> (I only get prompted the first time that I open, but still get
AM> prompted twice every time I save).

AM> Is this because different backends are being used on each system? Is
AM> there a configuration variable I can use to force a backend?

You're probably using GnuPG 2.x on Arch, which doesn't currently
allow caching the symmetric passphrase.  Please check.

Ted

Re: Saving gpg password on the file itself

[Artur Malabarba]

2015-05-11 16:32 GMT+01:00 Ted Zlatanov <tzz@lifelogs.com>:
> On Sat, 9 May 2015 17:40:04 +0100 Artur Malabarba <bruce.connor.am@gmail.com> wrote:
>
> AM> Actually, I may have spoke too soon.
> AM> On Ubuntu this does nothing.
>
> What's "this"? What did you do to set up the test, then what did
> actually happen, and finally what did you expect?

"this" is doing
(setq epa-file-cache-passphrase-for-symmetric-encryption t)
and then opening a file with symmetric encryption.

The regular behavior is to get a password prompt every time I open and
two prompts every time I save. The variable didn't change that. I was
expecting it to somehow reduce the number of prompts.

Now I understand though, that it doesn't work for recent Gnupg, so I
think that's why.

> AM> And on Arch linux this works for opening the file but not for saving
> AM> (I only get prompted the first time that I open, but still get
> AM> prompted twice every time I save).
>
> AM> Is this because different backends are being used on each system? Is
> AM> there a configuration variable I can use to force a backend?
>
> You're probably using GnuPG 2.x on Arch, which doesn't currently
> allow caching the symmetric passphrase.  Please check.

Yes, version 2.1. I should have read the docstring before my last message.

Re: Saving gpg password on the file itself

[Ted Zlatanov]

On Mon, 11 May 2015 17:16:57 +0100 Artur Malabarba <bruce.connor.am@gmail.com> wrote: 

AM> 2015-05-11 16:32 GMT+01:00 Ted Zlatanov <tzz@lifelogs.com>:

>> You're probably using GnuPG 2.x on Arch, which doesn't currently
>> allow caching the symmetric passphrase.  Please check.

AM> Yes, version 2.1. I should have read the docstring before my last message.

I think GnuPG 2.x recently added back the functionality to support this,
actually. But EPA/EPG need to be modified to support it. You can open a
bug report/feature request...

Ted