emacs-orgmode
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: org-crypt ?


From: Tim Cross
Subject: Re: org-crypt ?
Date: Sat, 11 Jun 2022 13:35:26 +1000
User-agent: mu4e 1.7.26; emacs 28.1.50

David Masterson <dsmasterson@gmail.com> writes:

> I think I've gotten org-crypt working, but I think some things are not
> making sense (it might be just me):
>
> 1. I've set org-crypt-key to nil (symmetric encryption).
> 2. Can I use a different encryption key for each encrypted paragraph?
> 3. Does org-encrypt only ask for the key the first time?
> 4. Does org-decrypt only ask for the key the first time?
> 5. How do they know where to get the password when they don't ask?
> 6. Shouldn't org-crypt docs in org manual have examples?
> Does this make sense -- I think I'm messing something up.


Warning: I have not used org-crypt for many years. These days, I just
use a .org.gpg extensions and symmetrically encrypt the whole file.
However, I think I can probably answer some of your questions -

> 2. Can I use a different encryption key for each encrypted paragraph?

According to the manual -


 
No, not with symmetric encryption. I think this can only work with
asymmetric encryption. 

If your using symmetric encryption, you typically just have one key for
all the data within the file. From the gnuPG perspective, this is just
encrypted text. It does not 'know' about different paragraphs. To have
different encryption with each paragraph, you would need to specify
different keys and there is no mechanism to do that with symmetric
encryption only asymmetric.

What is your use case where you need multiple symmetric encryption keys
in one file?

> 3. Does org-encrypt only ask for the key the first time?
> 4. Does org-decrypt only ask for the key the first time?

Well that can depend on your environment and how it is configured. These
days, most Linux desktops and macOS have a form of GPG Agent and/or
keyring (I'd assume similar wiht Windows, but don't use that platform).
Typically, these agents/keyrings are configured to cache passphrases for
a period of time. Sometimes, you can tell the keyring keys it has access
to without the passphrase provided your login key has been 'opened'. So
for example, the passwords for my imap accounts are in a gpg file and
I've told my keyring agent to always allow access to those keys (this
was an option in the passphrase dialogue box). 

I also think epa has support for caching of passphrases. Therefore, it
could be that Emacs is caching the key for you and it will keep it in a
session cache for a period of time or until the session is closed. 

One way to sort out where the caching is occurring might be to try
decrypting outside of Emacs just using gnupg. If it asks for the key but
does not ask when doing it within Emacs, then it is probably Emacs doing
the caching. 

> 5. How do they know where to get the password when they don't ask?

See above re: caching, keyrings and gpg agents.

> 6. Shouldn't org-crypt docs in org manual have examples?

Probably, though I don't know what else you would put in there which
isn't already there. Feel free to supply a PR or patch once you have
worked it out. However, as noted in the commentary section, org-crypt.el
is really a very light-weight wrapper around functions in epg.el, so
likely the first place to start when looking for documentation and
examples is the epa/epg/easyPG manual



reply via email to

[Prev in Thread] Current Thread [Next in Thread]