From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id OPbWHaJYpWL6fwEAbAwnHQ (envelope-from ) for ; Sun, 12 Jun 2022 05:08:18 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id 8IrbHKJYpWKWGgEAG6o9tA (envelope-from ) for ; Sun, 12 Jun 2022 05:08:18 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id EEAED3F2E9 for ; Sun, 12 Jun 2022 05:08:17 +0200 (CEST) Received: from localhost ([::1]:35346 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1o0DxY-0002OL-O7 for larch@yhetil.org; Sat, 11 Jun 2022 23:08:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41134) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o0Dx0-0002OA-Nr for emacs-orgmode@gnu.org; Sat, 11 Jun 2022 23:07:42 -0400 Received: from mail-dm6nam11olkn2019.outbound.protection.outlook.com ([40.92.19.19]:61095 helo=NAM11-DM6-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o0Dwy-0008Dt-HP for emacs-orgmode@gnu.org; Sat, 11 Jun 2022 23:07:42 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CZIypjGO1Dea8+NZM3XjWhl+i/PWz3rprnvzFzxHxsClSOaABYtV82opVSgAL0ycN4T+JdjxRYx434JWFIeQYzy9+a1WBgJY/CpaMVbKDgzUIMt7jbs7h8U9TqueXx2In/AJlnVPUHKife46GxFMdV8ShDFsmLq47+DqDVs6tr2/D0MxJI2Y73Vcvvr0FsWjoGtNfVZQNkVRHPUbqg6z8HfdA1OCNbnwZuv1TAS8C3n+oE/TFFoEAiS80dHlhgP1JxFaNIxL5Mz9NJ2pdIFNCh08qnpSurKofTAZD6mpPft9CxQ1bWl2aIV3Iy0hry0lII+pff8Q2FxvzLLnVuHgXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1+u3zQpT5t6Nb20FlFiX0SEz1FaxTjGmuOLcq3K6oVE=; b=SasLwCJjPLBDVLmGPGlf8GOi6nO0y66MArtt60vuZDOn16SVtv/Hv6cDG77j1tGgYn1AmHThaUWjBEaxtG902j2YfbAt3W6KpaZPvOWWvXLoay5vF3jvxtBGLDc6oua4Am64CqQLodAL7oGaKUVIopaJQ+6twRL2sB8vyZRHBHX+7581R5Y0badNdY+CdBRqUNsDat/3S78uydR61SiZuxnYeJWHzNsuK+j74/1UsjuOdnrxPYCs91TW4bvAsvRBh6Dt4/LWIE+CGbMD8Kj22AwmUTlRUG92d4ERCL+cmpV+2ut6lms8xIO5g2qHOBpDWBkH8MIQr91qXyGigRfUwA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1+u3zQpT5t6Nb20FlFiX0SEz1FaxTjGmuOLcq3K6oVE=; b=bdgmYjR1AoHtokAjhwXwRgx5A3cRTYIE8di7mWv6ipFAn0zz6XKSaeQusEdA+4DcNlgV2KrUJ9PrhwbkOaojHRhxXULCh+aW98qQuftNYro62E2MKlMZm+0prvm4tkUxXVojPf4Dc4qLEuanBCEoFjB7VlBEH96GSy012B3uq45CjhxwZvgjyyurK/bqCwhN70SdvczrXsogT0ILmGSXs6G7I9ubVo6zJgXqsq6w31CmSgmcfxUqkPR8XJMVnEyP7vgbBcvzgu34XVn8Y/EL+bSQVnkizymEWWsQVhtYfwszZWehy6wpQnqs4kIUS/20OwGiWF2DcUii9TBMBqyFqA== Received: from SJ0PR03MB5455.namprd03.prod.outlook.com (2603:10b6:a03:27b::11) by DM4PR03MB6999.namprd03.prod.outlook.com (2603:10b6:8:45::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5332.15; Sun, 12 Jun 2022 03:07:38 +0000 Received: from SJ0PR03MB5455.namprd03.prod.outlook.com ([fe80::7c01:f3c4:11c6:4050]) by SJ0PR03MB5455.namprd03.prod.outlook.com ([fe80::7c01:f3c4:11c6:4050%8]) with mapi id 15.20.5332.017; Sun, 12 Jun 2022 03:07:38 +0000 From: David Masterson To: Tim Cross Cc: emacs-orgmode@gnu.org Subject: Re: org-crypt ? References: <871qvvesqh.fsf@gmail.com> <871qvuy8vn.fsf@gmail.com> Date: Sat, 11 Jun 2022 20:07:36 -0700 In-Reply-To: <871qvuy8vn.fsf@gmail.com> (Tim Cross's message of "Sun, 12 Jun 2022 10:28:47 +1000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) Content-Type: text/plain X-TMN: [GjkNwlJsgbnfB3ZgA5/tgm+Ly6Y7hfr7u86ZZ0GGL2Z3TR+rRAhZKgeNIGwKOmjn] X-ClientProxiedBy: BY5PR13CA0020.namprd13.prod.outlook.com (2603:10b6:a03:180::33) To SJ0PR03MB5455.namprd03.prod.outlook.com (2603:10b6:a03:27b::11) X-Microsoft-Original-Message-ID: <877d5mtw93.fsf@gmail.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 2 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 404e4496-35d3-46cd-e5cf-08da4c20b4b5 X-MS-TrafficTypeDiagnostic: DM4PR03MB6999:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Vg8QYG5muC7C+jDkXaNHnO8xvd0NnRempRwIB1khgj3ZpafRC+1S/ZY3HkRut07dSsLBU8Nu6/3dD+llko1ehonQhJbZt7cnftPPj43atMRHYMesR2YHo79eMvMoOvdcxbAn4295kUoeOvdSfD5RChj5QPCuFlCioUwsshsQbOwmfdXVwvYi+wYNXL8s7GIHhkjVXcsF42degj5JqenJliaP8gDFASHPWpE16uUE6X3LFV2auxoAyXHn3DyQJTiNyHfUG1RZwvuCnEJJeJicu7imsPO+Pd7KEjzvRQeuG87CoylodCY+Xvt02Fn4GDpULlcrO+sq11cT2G2efq6SrA18q1BYYZPjX8gpMRvgc2qv7tdIhsTkqIRkaBDSEyxsDYb2206A007WOQyGo76lpVWIdtdFYz8KrIMl85VvlenUHmhADSNe5OdaoP3cRXva+NyW+/m+XPx4L2V+DqP3oj2qacUr3QI8VK9QdEEJNrRaCr8o2DlYk4nmVIgMWYpa0e0PlOjpL203U/g6EVFa6V0XeKYIUMW8Et9Aw023bCX5dqoME7POb0EdJxLj2QmdibUI2lU1nZUewYVNMaNk2Q== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?JtnvWuQ6byvuYvP6Hd/yz71uOFWDE0Eg4Z7OUK3BvUeHlsGNg71VS2mc2a+Z?= =?us-ascii?Q?vX6ZxksKYk0xfGoggbTqbVGK4mN5q5rtwbIQ4j7tgFrM8RIg6K0iXvBuyq0w?= =?us-ascii?Q?RV5Rbr6/4TEBZ0aumxkvA/tNEopaGV92LeCAzU3z5SibzAPbJcfW6EdxK7NW?= =?us-ascii?Q?aiM2l4XdUZmGjSWslXJg4C98+dyKtwxocafvOlxe6tVq+SKXVku3718noBOM?= =?us-ascii?Q?8r7p6QzdHSYJ2K8zosxsPCkiZrI+BXP/A5xQTFvAYK6njrpKuMBvu5wH7X6C?= =?us-ascii?Q?Noc1MahQ38Cf2d3NA2aL/+NHaRiXIzKGOiZ8JInswxHNL4kjsbPbLZ+UoM/M?= =?us-ascii?Q?ErZxc+4ohTqp/Hf/ZN+BSCjoCQIed17i0m6ixaCJ+p9n658wjy5c/ufpDzyv?= =?us-ascii?Q?oGSCaKKLg/AvEGmQjWhTBlIpVhW+/hTjpxoeWUPEbr3uHF860tRbZjxUoob2?= =?us-ascii?Q?GXMsyN9TxFo+ws8oACSHJYT8cmnz/P3wD5Ozj0gYUZEezdBs4vRu0xk8w+Oi?= =?us-ascii?Q?GPEqVad5NuUhFgG0sbihuhotFu9QgyjfqjczSu+hlVKlS3wkDQ/SZdPeZG1G?= =?us-ascii?Q?A5YpJr4bcKHohNv/jh5RTcMYaEWXZwhFlaJbIogbXQ6KStwhp/vUsiAgxqYR?= =?us-ascii?Q?pMppwgOUH3ACyG8cZV6mEEctPA89x7so8/j3jytlYtyETSnV9P7EmesbhNnL?= =?us-ascii?Q?iSvLzaXGnPfH/EXbLkj3bBVXMHNVXANmVZxtO1zDGrYkZGKbWQPPZae2fb5E?= =?us-ascii?Q?1M/ZP/Bit93QMuG+j2gmBQN+LHXrvy5Vtb/71k9R0vEAE4EH15N80EE3Ib+s?= =?us-ascii?Q?QotAIjQTJt8xfGccCdZW5KxEa+0wX1cxTlDZPBERVNpcmcc5GJQzUPwPnQDx?= =?us-ascii?Q?/w0VP3aXstPhw8KdRZWx84EQTyVymEcjYBtOWrVkTiwoX3fEr7Z3zrC7Qc/o?= =?us-ascii?Q?h5DGyaFYJlpV1w01GRzVj36NjSiyWIDo3bCkEkeuAGx87qa6ORPv2doGyroV?= =?us-ascii?Q?oVpBfM7VEJWeBddlP6SRmTs1IfFVSd7VvxOtmjilzQmG7tXRn+8RQzbeBbgF?= =?us-ascii?Q?zzlN8g94ldpVs7TkW47nwYIWqnv4JsReOkOXr3N2C6GX4xBwpFVNgvnu+CZt?= =?us-ascii?Q?IqweE5vFQpz4j+iDfY8A3Ho+HpOlfIM9YjKsJovG5D2MMDmGUAXm9SQllaPs?= =?us-ascii?Q?nvCVx/5CazGM858iWdgdRSVujtUS8TCMnKKEwjhlcAQY3W4Ad9BjgcfFTkZp?= =?us-ascii?Q?A4iy6VU5uszh3hV5RML2mL2NrJ8FZV4jouBz+kctXoSqrJolW4K4+BOj1DUF?= =?us-ascii?Q?FYVAZOnoThNuwxwoKx2AgV5gERsPaZcr1zuUmFgpq2ZCcpKQiT/q/Q9hWVDL?= =?us-ascii?Q?TPO2C54JDsryvT5ustllyWk+8q/J1TgA/nJMUNewZNucLcQfZaX3ebeHdN4o?= =?us-ascii?Q?gxBmsWkQgRhyqn+MLr5ee4boTQM0RoVSOL1qUjRBCiE+hnv2575f9NXx2yfZ?= =?us-ascii?Q?7ZoK9gTWmdBPHb1qP8lfjysdbnml5BI+/WR7Xrg4xsuCnJxtQohMxaeaHA?= =?us-ascii?Q?=3D=3D?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 404e4496-35d3-46cd-e5cf-08da4c20b4b5 X-MS-Exchange-CrossTenant-AuthSource: SJ0PR03MB5455.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Jun 2022 03:07:38.3642 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR03MB6999 Received-SPF: pass client-ip=40.92.19.19; envelope-from=outlook_98C99531806B1C22@outlook.com; helo=NAM11-DM6-obe.outbound.protection.outlook.com X-Spam_score_int: 6 X-Spam_score: 0.6 X-Spam_bar: / X-Spam_report: (0.6 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FORGED_GMAIL_RCVD=1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1655003298; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=1+u3zQpT5t6Nb20FlFiX0SEz1FaxTjGmuOLcq3K6oVE=; b=rDjS4dnrCeyTghqgLJWm82BmG3NEZO/8+i5Z577goItbKPtjz8ScPCmpyuNJ0mheZXrRiB MpCDOl51PIY4tlDu6tZo7HNdWTb8x96STVeekGlhi482tz9WvwGyThPXFWVMJGp2JsTrR/ lKQ4JAWbpPSMRSzX6/znhDuwJ0OW6/DPN1/07J65cQhEWZNozHfqPTcRjLcxfQ4HALchN2 XDJA1iPM1c7GNVEdLxEx/P6j4k/UgIsFaVE7PJBwz7bqAYebG6/q6aUnfqehMHggGMyFFD gHRpnyKVVc3bYucHNKmKklmIidURyc7DfeXkCHMEq+BX/nD+AfH1FwFMReTgbw== ARC-Seal: i=2; s=key1; d=yhetil.org; t=1655003298; a=rsa-sha256; cv=pass; b=sM/fcYwpxG03/yKnYMB5rBNlrCtJ04ZzZKC5NNYj6TqIsNSI0/RgzZKbAxUkltqcP+1Xwa ca3a3FZbwS65t/ztuQ1duJy/lq+p+9JPCAG3w5OTHhmv8SnEsrvgi10WA4NMDXKfN5LVMj O1TRbX/sLIWYSV2Q7ZuF6QDKEm69ZTYNY6HcBbVQj5C8pTMOXfRQHtL40GrPS5VlX8otnA COkLpqVzh+6IP2FrJq5qEIQo+vwGshlYFbvuvOMvXnGTooD1srfZWJK8921wUiwWmn8kCp Au3jnnZyTAia0Z3h477r1l2UCfysgjS102mOd8Ar4HObdFEA5vd+FuCLQnzLgQ== ARC-Authentication-Results: i=2; aspmx1.migadu.com; dkim=pass header.d=outlook.com header.s=selector1 header.b=bdgmYjR1; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 1.52 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=outlook.com header.s=selector1 header.b=bdgmYjR1; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: EEAED3F2E9 X-Spam-Score: 1.52 X-Migadu-Scanner: scn1.migadu.com X-TUID: BY6wjvfhEtpF Tim Cross writes: > David Masterson writes: > >> Tim Cross writes: >> >>> Warning: I have not used org-crypt for many years. These days, I just >>> use a .org.gpg extensions and symmetrically encrypt the whole file. >>> However, I think I can probably answer some of your questions - >> >> Hmm, two questions that this brings up: >> >> 1. Do you access your files on (say) iPhone? >> 2. Do you store your files in Git (say Github)? >> > > Well, yes and yes, but I don't tend to need to access encrypted files on > iphone. I do have encrypted files in github. For example, I have a > private repository of files I share across computers (Linux and macOS). > Some of these files are gpg encrypted. Exactly the system I'm looking for! (or almost) I am already using (Emacs, Org, MaGit) on Linux, (BeOrg, Working Copy) on the iPhone, and a Github private repository. This is complicated to the new user (like me w/ 42yrs [off and on] of Emacs usage), but Git has saved me a number of times on resyncing if I change things on both sides. But I would like to use more encryption with this. When it's secure, I'd like to roll it out on my family's iPhones as well. > Determining which parts are encrypted isn't hard. However, how do you > know which key to associate with each bit? The only solution I can see > is to attempt every known symetric key to each chunk until one works and > if none of the known ones work, ask for another one. This could be how > it works, but that seems extremely inefficient and difficult to manage > to me. > > The other problem is how to prompt for the key. Lets say you have 10 > encrypted items in an org file, each encrypted with a different > symmetric key. Org has to ask the user for the key for each one. What > goes into the prompt to give the user an idea which of the 10 different > keys to enter? I guess it could say "Entger key for chunk 1:" and "Enter > key for chunk2":, but I'm not sure that is good. The system could use > the section heading, but I didn't see anything to indicate it would do > that when scanning the code, but perhaps I missed it. > > >> >> Hmm, you're suggesting you don't use org-(en/de)crypt. The manual >> doesn't spell out very well how to do that. Where do you put your key >> for symmetric encryption? >> > > With symmetric encryhption, there is no 'key' to put anywhere. The key > is the password/passphrase. You only have a 'key' with asymmetric > encryption, where you have two files, the private and public key. These > are managed by gnupg in the .gnupg directory (typically). Problem with my terminology, I guess. > One thing which you may find helpful is to look at the 3 separate layers > involved with org-crypt as they all have their own manual and each layer > provides some of the information you are after i.e. > > - Encryption/decryption and key management is largely handled by gnupg. > The documentation associated with gnupg is pretty good and will likely > answer many of your questions. Hmm. Okay. > - The interface to gnupg from within Emacs is managed by easyPG, which > basically consists of two libraries - epa, which provides the Emacs > interface layer for gnupg and epg, which provides a library that can be > used by Emacs packages to access gnupg. This is primarily what org-crypt > uses. The easyPG manual is pretty good and contains some good > information. Okay. > - org-crypt, which is a very light-weight wrapper around the epg > functions. It provides the basic integration between org and easyPG. Org-crypt needs more documentation to point to the other two as well as provide a simple example to help people know if they are on the right track. >>> What is your use case where you need multiple symmetric encryption keys >>> in one file? >> >> One broken key doesn't give up the whole file. >> > > That might be a false sense of security. The big weakness with symmetric > encryption is they key/passphrase. It suffers from the same problem of > passwords (which are mostly 'human'). If one of your keys is weak enough > it has been broken, the odds are pretty high that the others will be as > well. The likelihood with symmetric encrytion is higher because > everything is based on the key/passphrase you supply. With asymmetric > encryption, the key is not related to the passphrase. To breach the key, > someone needs to either get hold of the private key and the passphrase > (assuming it has a passphrase, which is normal practice for secure > setup) or they need to crack the very strong key. > > For that use case, I would use asymmetric rather than symmetric > encryuption. Hmm. Point taken. I have to work on understanding asymmetric encryption with org-crypt more. Thanks -- David Masterson