keeping your secrets secret

If you want to keep your secrets secret, it is a good idea to encrypt your data; I usually do that for files with passwords for various services, banking data, and so on. Since version 23, Emacs includes a package called EasyPG (an interface to GnuPG) which makes this seamless – just make sure that you have GnuPG installed.

It's easy to use EasyPG – the only thing you need to do is adding the .gpg -extension to your files, and EasyPG will automatically encrypt/decrypt them when writing/reading. So, for example, to create an encrypted org-mode-file, simply visit (C-x C-f) a file with a name like myfile.org.gpg; emacs opens this in Org-Mode (just like any .org-file). When you want to save the file, emacs will ask you for a password, and with this same password, you can open it again. Don't forget that password!

account data

You can store any kind of secret data in your encrypted files. One type I find particularly useful is to store account data (user names, passwords) for various services there. For example, I use the emacs identi.ca-mode client, which gets its account data through variables identica-username and identica-password.

I do not want to put this information in my main .emacs file for safety reasons, but instead, put it an encrypted file, together with the account data for other services (mail, twitter etc.). Emacs' require does not understand encrypted files, but load-library does. To deal with that, I have two files, secrets.el and secrets.el.gpg (in my load-path):

;; secrets.el
(load-library "secrets.el.gpg")
(provide 'secrets)


;; secrets.el.gpg
(setq identica-username "djcb"
      identica-password "$ekr3t")
;; ... other passwords ...

Now, in my .emacs I have a function for various services, like:

(defun start-identica ()
  (require 'secrets)

This will prompt me for the password, but only if I use anything that requires the secret data, and only once per session.

Update: as Richard notes in the comments, you can also use require by explicitly specifying the filename (parameter two). That might actually be easier -- thanks Richard!

using public keys

By default, EasyPG performs symmetric encryption; if you want to use public key encryption instead (useful when you want to share the encrypted files with others), you can use:

;; 'silent to use symmetric encryption
;; nil to ask for users unless specified
;; t to always ask for a user
(setq epa-file-select-keys t) 

The 'users' in this snippet are the people in your GnuPG-keyring – EasyPG lists your keyring inhabitants, allowing for easy selection. You can also specify the people who can decrypt your file by putting something like the following at the beginning of the file you want to encrypt.

# -*- epa-file-encrypt-to: ("foo@bar.org") -*-


EasyPG brings more functionality for encryption, decryption, signing, managing your keyring and so on, but I haven't used that much yet. Anyhow, the automatic support for reading/writing file is really nice.


Wolf said...

That's excellent, thanks for letting us know about that feature! I'm definitely going to use this.

Dave Sailer said...

Wow. Thank you.

I looked up EasyPG, only to find that it's included with emacs23, which I'm using.

Then I checked my system for GnuPG, which, for whatever reason, was already installed.

Then I created an encrypted file.

And it works.

I really, really appreciate your blog. I've been using emacs since 1995, starting with emacsNT, until I finally got to Linux. I know how to use about 0.01% of emacs's capabilities. I've found the various emacs wikis and official manuals somewhat less than useless. Maybe more than somewhat.

And I'm not stupid. Really. But it's still hopeless. That stuff was written by mutants for mutants.

On the other hand, I am crazy wild about emacs as a writing tool. I wish I could use VIM but I write, and VI/VIM/CREAM are editing tools. Great editing tools. Better editing tools I think, than emacs. But I don't edit all day. And so I'm staying on the emacs side of the fence.

But given all that, I'm still not bright enough to figure out emacs. So thanks to you I can at least feel a little smart, sorta, every now and then.

Anonymous said...

Being a human being there is much possibility that we may forge the password. What are all the options that we have then? It is like you almost deleted the file.

Richard said...

Just one thing - require does work with gpg. My .emacs has this to load my encrypted file containing gnus data after thefirst frame is shown

(require 'rgr-misc "rgr-mic.gpg")

wiht the "provide" in the file of course.

djcb said...

@Dave Sailer: actually, the emacs docs are pretty thorough - they're just not very task-oriented. But it pays off reading them, many gems to be discovered :)

@Richard: good point! Updated the post, thanks.

Richard said...

np. I posted a similar thing a while back as a first draft for possible inclusion into the gnus manual. http://splash-of-open-sauce.blogspot.com/2011/02/securing-your-private-email-credentials_7309.html

Renaud said...

That is a pretty good trick, thanks (as pretty much everything on this blog :) )

But after loading the gpg, the passwords are store in plain text in those variables you set up and are displayable with a simple C-h v…

I may be asking for the moon here, but is there a way to avoid that ?

semente said...

What about that:

(defun run-secrets-hook ()
(require 'secrets))

(add-hook 'identica-mode-hook 'run-secrets-hook)

Gabriel Saldana said...

This is a great way to store your credentials! I'll add this to the identica-mode documentation

Ruben Berenguel said...

Excellent! I'll add this for my gnus stuff, to stop being asked for my 7 words long passwords.

I also use this (or similar) to get twittering-mode to remember its connection credentials (as I found in Michael Kohl's blog).



Anonymous said...

Emacs is working on a `Secrets API' to deal with the problem of storing and using credentials securely. As a first pass, there is a library (secrets.el) that implements an interface to gnome-keyring/kwallet under linux, but things are still being developed for the future.

At the moment, secrets.el is part of Emacs 24 (i.e. the unreleased, in-development, next version of emacs). This will require some effort to be useful to non-developers, but if that's beyond your comfort level today, at least know that it's coming in the future.

Anonymous said...

@Dave Sailer

You should definitely look at vimpulse.

It expands viper-mode by adding really nice features such as gi( or ga".

With it, you got the power of emacs without any RSI :)

Anonymous said...

Oh, I've read an article 2 years ago with the same name "Keeping your secrets secret". Thats interesting.

Derek Mansen said...

I was wondering how to keep my passwords for jabber secure, and this was a perfect solution! Thanks!

Unknown said...

Where is a new Web service JCRYPT - for online encryption/decryption your data. It supports encryption for specific user and expiration date for encrypted data. For more details go to https://www.jmasters.info:8443/jcrypt/

Unknown said...

This is great! Now I can fully host my .emacs file to github without fear! Thanks.

PuercoPop said...

I loved this post. FYI: I've made an emacs package make a menu to copy the passwords and other sensitive data storted to the clipboard: https://github.com/PuercoPop/password-vault

JohanSRNielsen said...

Nice post! Following some of the comments, as well as my own main uses, I turned some of this functionality into a simple password-management package: simple-secrets.el.

I wanted something to help me with passwords for web-pages, etc. Instead of storing the passwords in Emacs variables, it has a function to quickly look up a password (Ido-powered) and copy it into the clipboard. One advantage is that passwords are never stored in Emacs memory (though the most recently looked up password is in the kill ring). The package also has convenience for auto-generating new passwords.
I've been using it for some months now and I find it quite convenient for this use.

Thanks for your blog!

Jiehong said...

This is a very old post, but perhaps someone knows about this: is it possible for emacs to assume that the key used for saving a pgp file is the same as the one used to decrypt it?

Currently, when opening a gpg file, Emacs will use gpg-agent to ask for the password, and decrypt the file. If close, and re-opened, emacs will open the file without asking for the password, thanks to gpg-agent.

However, for any small modification saved, Emacs will ask for the password twice…

Any solution known?