Re: org-crypt ?

[Tim Cross]

David Masterson <dsmasterson@gmail.com> writes:

> Tim Cross <theophilusx@gmail.com> writes:
>
>> David Masterson <dsmasterson@gmail.com> writes:
>>
>>> Tim Cross <theophilusx@gmail.com> writes:
>>>
>>>> Warning: I have not used org-crypt for many years. These days, I just
>>>> use a .org.gpg extensions and symmetrically encrypt the whole file.
>>>> However, I think I can probably answer some of your questions -
>>>
>>> Hmm, two questions that this brings up:
>>>
>>> 1. Do you access your files on (say) iPhone?
>>> 2. Do you store your files in Git (say Github)?
>>>
>>
>> Well, yes and yes, but I don't tend to need to access encrypted files on
>> iphone. I do have encrypted files in github. For example, I have a
>> private repository of files I share across computers (Linux and macOS).
>> Some of these files are gpg encrypted.
>
> Exactly the system I'm looking for! (or almost)
>
> I am already using (Emacs, Org, MaGit) on Linux, (BeOrg, Working Copy)
> on the iPhone, and a Github private repository.  This is complicated to
> the new user (like me w/ 42yrs [off and on] of Emacs usage), but Git has
> saved me a number of times on resyncing if I change things on both
> sides.  But I would like to use more encryption with this.  When it's
> secure, I'd like to roll it out on my family's iPhones as well.
>

I suspect the challenge will be in getting gnuPG support on the iphone.
I've never tried that and don't know if there is a gnuPG version for
iphone. That would be the first thing I'd try to verify. If you can
encrypt/decrypt on the iphone, it should be possible to handle the rest. 

The one problem you can run into with gpg files and git is that git can
see those as binary files. The general 'rule of thumb' is that you don't
put binary files into git. The thinking is that binary files are
typically generated from some text file and it is the original source
text which you would put into git. There are also some minor technical
issues, mainly with large binary files, which make git somewhat
inefficient. 

The big issue however is that by default, most git forges, like github,
have a limit on the siace of binary files they will allow in git. That
size is reasonably large, but there is a limit which I think you have to
pay to have increased. I've not run into that limit with encrypted
files, but have with PDFs and other formats I wanted to include in my
git repo. 

<snip>

>
> Hmm.  Point taken.  I have to work on understanding asymmetric
> encryption with org-crypt more.
>

The main downside with asymmetric encryption is that if you want
different keys you have to create lots of different keys and manage them
securely. With symmetric encryption, you just have to remember
passwords/passphrases. The big advantage with asymmetric is that
encryption and decryption are separated. Someone can have your public
key and can encrypt data which only you (or whomever has the private
key) can decrypt.

Based on your desire to roll something out to your family, I would
actually recommend a different route. There are some very good open
source password managers out there. Many of them, for a very small fee
(i.e. $12pa), will also provide a few Gb of encrypted file storage as
well. 

What I find good with some of these is that provided you select the
right one, you have full control over the encryption (so the server the
provider uses has your data encrypted and only you have the key) and
they usually have mobile device support. The big benefit is that the
mobile clients will take care of the encryption/decryption bits. 

Personally, I've been using ipassword for years, but if I was setting
things up now from scratch, I would be chekcing out bitwarden and
keypass (as well as some others) as possible alternatives. These
password managers have grown to be  alot more than just password
managers. They typically have some support for encrypted files as well
as 'secure notes'. The basic architecture of many (especailly the open
source ones) is basically the same as your outlined use case - benefit
is they have taken care of all the nitty gritty stuff and most of them
are based on the same technology (i.e. gnupg under the hood). The other
benefit is you also often get support for 2FA/OTP, hardware keys like
yubikey etc. Such solutions are also often easier for family members who
may not be as technical oriented to learn/use.  

I also used lastpass at one of the businesses I worked for. While it was
a pretty good product when it was first released, I would no longer
recommend them. The quality and reliability seems ot have dropped off
significantly once they were sold to LogMeIn.

I did use borg, though not so much since I retired. It worked OK, but I
really just used it to manage tasks and keep notes using my tablet or
iphone (I usually used my ipad for meetings). However, since retirement
and no longer needing to interact with 'enterprise' environments, my
macbook and ipad are pretty much dust collectors! Everything these days
is just on my Linux system.