* org-crypt ? @ 2022-06-10 4:08 David Masterson 2022-06-11 3:35 ` Tim Cross 2022-06-11 4:17 ` Ihor Radchenko 0 siblings, 2 replies; 14+ messages in thread From: David Masterson @ 2022-06-10 4:08 UTC (permalink / raw) To: emacs-orgmode I think I've gotten org-crypt working, but I think some things are not making sense (it might be just me): 1. I've set org-crypt-key to nil (symmetric encryption). 2. Can I use a different encryption key for each encrypted paragraph? 3. Does org-encrypt only ask for the key the first time? 4. Does org-decrypt only ask for the key the first time? 5. How do they know where to get the password when they don't ask? 6. Shouldn't org-crypt docs in org manual have examples? Does this make sense -- I think I'm messing something up. -- David Masterson ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: org-crypt ? 2022-06-10 4:08 org-crypt ? David Masterson @ 2022-06-11 3:35 ` Tim Cross 2022-06-11 21:29 ` David Masterson 2022-06-11 4:17 ` Ihor Radchenko 1 sibling, 1 reply; 14+ messages in thread From: Tim Cross @ 2022-06-11 3:35 UTC (permalink / raw) To: emacs-orgmode David Masterson <dsmasterson@gmail.com> writes: > I think I've gotten org-crypt working, but I think some things are not > making sense (it might be just me): > > 1. I've set org-crypt-key to nil (symmetric encryption). > 2. Can I use a different encryption key for each encrypted paragraph? > 3. Does org-encrypt only ask for the key the first time? > 4. Does org-decrypt only ask for the key the first time? > 5. How do they know where to get the password when they don't ask? > 6. Shouldn't org-crypt docs in org manual have examples? > Does this make sense -- I think I'm messing something up. Warning: I have not used org-crypt for many years. These days, I just use a .org.gpg extensions and symmetrically encrypt the whole file. However, I think I can probably answer some of your questions - > 2. Can I use a different encryption key for each encrypted paragraph? According to the manual - No, not with symmetric encryption. I think this can only work with asymmetric encryption. If your using symmetric encryption, you typically just have one key for all the data within the file. From the gnuPG perspective, this is just encrypted text. It does not 'know' about different paragraphs. To have different encryption with each paragraph, you would need to specify different keys and there is no mechanism to do that with symmetric encryption only asymmetric. What is your use case where you need multiple symmetric encryption keys in one file? > 3. Does org-encrypt only ask for the key the first time? > 4. Does org-decrypt only ask for the key the first time? Well that can depend on your environment and how it is configured. These days, most Linux desktops and macOS have a form of GPG Agent and/or keyring (I'd assume similar wiht Windows, but don't use that platform). Typically, these agents/keyrings are configured to cache passphrases for a period of time. Sometimes, you can tell the keyring keys it has access to without the passphrase provided your login key has been 'opened'. So for example, the passwords for my imap accounts are in a gpg file and I've told my keyring agent to always allow access to those keys (this was an option in the passphrase dialogue box). I also think epa has support for caching of passphrases. Therefore, it could be that Emacs is caching the key for you and it will keep it in a session cache for a period of time or until the session is closed. One way to sort out where the caching is occurring might be to try decrypting outside of Emacs just using gnupg. If it asks for the key but does not ask when doing it within Emacs, then it is probably Emacs doing the caching. > 5. How do they know where to get the password when they don't ask? See above re: caching, keyrings and gpg agents. > 6. Shouldn't org-crypt docs in org manual have examples? Probably, though I don't know what else you would put in there which isn't already there. Feel free to supply a PR or patch once you have worked it out. However, as noted in the commentary section, org-crypt.el is really a very light-weight wrapper around functions in epg.el, so likely the first place to start when looking for documentation and examples is the epa/epg/easyPG manual ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: org-crypt ? 2022-06-11 3:35 ` Tim Cross @ 2022-06-11 21:29 ` David Masterson 2022-06-12 0:28 ` Tim Cross 0 siblings, 1 reply; 14+ messages in thread From: David Masterson @ 2022-06-11 21:29 UTC (permalink / raw) To: Tim Cross; +Cc: emacs-orgmode Tim Cross <theophilusx@gmail.com> writes: > David Masterson <dsmasterson@gmail.com> writes: > >> I think I've gotten org-crypt working, but I think some things are not >> making sense (it might be just me): >> >> 1. I've set org-crypt-key to nil (symmetric encryption). >> 2. Can I use a different encryption key for each encrypted paragraph? >> 3. Does org-encrypt only ask for the key the first time? >> 4. Does org-decrypt only ask for the key the first time? >> 5. How do they know where to get the password when they don't ask? >> 6. Shouldn't org-crypt docs in org manual have examples? >> Does this make sense -- I think I'm messing something up. > > Warning: I have not used org-crypt for many years. These days, I just > use a .org.gpg extensions and symmetrically encrypt the whole file. > However, I think I can probably answer some of your questions - Hmm, two questions that this brings up: 1. Do you access your files on (say) iPhone? 2. Do you store your files in Git (say Github)? >> 2. Can I use a different encryption key for each encrypted paragraph? > > According to the manual - > > No, not with symmetric encryption. I think this can only work with > asymmetric encryption. This needs to be spelled out better. > If your using symmetric encryption, you typically just have one key for > all the data within the file. From the gnuPG perspective, this is just > encrypted text. It does not 'know' about different paragraphs. To have > different encryption with each paragraph, you would need to specify > different keys and there is no mechanism to do that with symmetric > encryption only asymmetric. org-(en/de)crypt ?? Hmm, you're suggesting you don't use org-(en/de)crypt. The manual doesn't spell out very well how to do that. Where do you put your key for symmetric encryption? > What is your use case where you need multiple symmetric encryption keys > in one file? One broken key doesn't give up the whole file. >> 6. Shouldn't org-crypt docs in org manual have examples? > > Probably, though I don't know what else you would put in there which > isn't already there. Feel free to supply a PR or patch once you have > worked it out. However, as noted in the commentary section, org-crypt.el > is really a very light-weight wrapper around functions in epg.el, so > likely the first place to start when looking for documentation and > examples is the epa/epg/easyPG manual Not good at writing these days, buy I'll consider. -- David Masterson ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: org-crypt ? 2022-06-11 21:29 ` David Masterson @ 2022-06-12 0:28 ` Tim Cross 2022-06-12 1:37 ` Ihor Radchenko 2022-06-12 3:07 ` David Masterson 0 siblings, 2 replies; 14+ messages in thread From: Tim Cross @ 2022-06-12 0:28 UTC (permalink / raw) To: David Masterson; +Cc: emacs-orgmode David Masterson <dsmasterson@gmail.com> writes: > Tim Cross <theophilusx@gmail.com> writes: > >> David Masterson <dsmasterson@gmail.com> writes: >> >>> I think I've gotten org-crypt working, but I think some things are not >>> making sense (it might be just me): >>> >>> 1. I've set org-crypt-key to nil (symmetric encryption). >>> 2. Can I use a different encryption key for each encrypted paragraph? >>> 3. Does org-encrypt only ask for the key the first time? >>> 4. Does org-decrypt only ask for the key the first time? >>> 5. How do they know where to get the password when they don't ask? >>> 6. Shouldn't org-crypt docs in org manual have examples? >>> Does this make sense -- I think I'm messing something up. >> >> Warning: I have not used org-crypt for many years. These days, I just >> use a .org.gpg extensions and symmetrically encrypt the whole file. >> However, I think I can probably answer some of your questions - > > Hmm, two questions that this brings up: > > 1. Do you access your files on (say) iPhone? > 2. Do you store your files in Git (say Github)? > Well, yes and yes, but I don't tend to need to access encrypted files on iphone. I do have encrypted files in github. For example, I have a private repository of files I share across computers (Linux and macOS). Some of these files are gpg encrypted. >>> 2. Can I use a different encryption key for each encrypted paragraph? >> >> According to the manual - >> >> No, not with symmetric encryption. I think this can only work with >> asymmetric encryption. > > This needs to be spelled out better. Ihor's response to this indicates I'm incorrect here. As I stated earlier, it has been a long time since I used org-crypt, so I'd trust his advice more. However, from a technical perspective, I don't understand how gnupg or org-crypto can prompt to get the different keys and know which chunk to apply which key to, but that is my limited technical expertise more than anything else. With asymmetric encryption, you specify the key name, so it knows which key belongs with each encrypted chunk. I don't see in the code how this is handled for symmetric encryption where no key name is specified. With symmetric encryption, the key is really just the passphrase. GnuPG asks you for the key (passpharase) and it uses that to encrypt/decrypt the data. With asymmetric, there is a public and private pair and an associated 'name'. When encrypting, it knows or asks for the key name and uses the public key and for decrypting, the private key, which most often (but not always) has a passphrase used to unlock it. > >> If your using symmetric encryption, you typically just have one key for >> all the data within the file. From the gnuPG perspective, this is just >> encrypted text. It does not 'know' about different paragraphs. To have >> different encryption with each paragraph, you would need to specify >> different keys and there is no mechanism to do that with symmetric >> encryption only asymmetric. > > org-(en/de)crypt ?? Determining which parts are encrypted isn't hard. However, how do you know which key to associate with each bit? The only solution I can see is to attempt every known symetric key to each chunk until one works and if none of the known ones work, ask for another one. This could be how it works, but that seems extremely inefficient and difficult to manage to me. The other problem is how to prompt for the key. Lets say you have 10 encrypted items in an org file, each encrypted with a different symmetric key. Org has to ask the user for the key for each one. What goes into the prompt to give the user an idea which of the 10 different keys to enter? I guess it could say "Entger key for chunk 1:" and "Enter key for chunk2":, but I'm not sure that is good. The system could use the section heading, but I didn't see anything to indicate it would do that when scanning the code, but perhaps I missed it. > > Hmm, you're suggesting you don't use org-(en/de)crypt. The manual > doesn't spell out very well how to do that. Where do you put your key > for symmetric encryption? > With symmetric encryhption, there is no 'key' to put anywhere. The key is the password/passphrase. You only have a 'key' with asymmetric encryption, where you have two files, the private and public key. These are managed by gnupg in the .gnupg directory (typically). One thing which you may find helpful is to look at the 3 separate layers involved with org-crypt as they all have their own manual and each layer provides some of the information you are after i.e. - Encryption/decryption and key management is largely handled by gnupg. The documentation associated with gnupg is pretty good and will likely answer many of your questions. - The interface to gnupg from within Emacs is managed by easyPG, which basically consists of two libraries - epa, whihc provides the Emacs interface layer for gnupg and epg, which provides a library that can be used by Emacs packages to access gnupg. This is primarily what org-crypt uses. The easyPG manual is pretty good and contains some good information. - org-crypt, which is a very light-weight wrapper around the epg functions. It provides the basic integration between org and easyPG. >> What is your use case where you need multiple symmetric encryption keys >> in one file? > > One broken key doesn't give up the whole file. > That might be a false sense of security. The big weakness with symmetric encryption is they key/passphrase. It suffers from the same problem of passwords (which are mostly 'human'). If one of your keys is weak enough it has been broken, the odds are pretty high that the others will be as well. The likelihood with symmetric encrytion is higher because everything is based on the key/passphrase you supply. With asymmetric encryption, the key is not related to the passphrase. To breach the key, someone needs to either get hold of the private key and the passphrase (assuming it has a passphrase, which is normal practice for secure setup) or they need to crack the very strong key. For that use case, I would use asymmetric rather than symmetric encryuption. >>> 6. Shouldn't org-crypt docs in org manual have examples? >> >> Probably, though I don't know what else you would put in there which >> isn't already there. Feel free to supply a PR or patch once you have >> worked it out. However, as noted in the commentary section, org-crypt.el >> is really a very light-weight wrapper around functions in epg.el, so >> likely the first place to start when looking for documentation and >> examples is the epa/epg/easyPG manual > > Not good at writing these days, buy I'll consider. Please do. Often the best documentation comes from end users rather than developers. The developer is often too close to the code, which makes it harder for them to appreciate what users don't understand/know. For a user, the challenges they encounter are often 'fresher' and puts them in a better place to explain things. People on the list will provide feedback to help clarify and improve what you write. I would highly recommend looking at the easyPG and gnuPG documentation. It is quite likely all that needs to be done to improve the documentation is add some appropriate links to the documentation for those two projects. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: org-crypt ? 2022-06-12 0:28 ` Tim Cross @ 2022-06-12 1:37 ` Ihor Radchenko 2022-06-12 3:07 ` David Masterson 1 sibling, 0 replies; 14+ messages in thread From: Ihor Radchenko @ 2022-06-12 1:37 UTC (permalink / raw) To: Tim Cross; +Cc: David Masterson, emacs-orgmode Tim Cross <theophilusx@gmail.com> writes: > Ihor's response to this indicates I'm incorrect here. As I stated > earlier, it has been a long time since I used org-crypt, so I'd trust > his advice more. However, from a technical perspective, I don't > understand how gnupg or org-crypto can prompt to get the different keys > and know which chunk to apply which key to, but that is my limited > technical expertise more than anything else. With asymmetric encryption, > you specify the key name, so it knows which key belongs with each > encrypted chunk. I don't see in the code how this is handled for > symmetric encryption where no key name is specified. If you run M-x org-decrypt-entry, the prompt will be for that entry. It is up to the user to figure out which key is the key to be used there. If you run M-x org-decrypt-entries, it simply runs org-decrypt-entry on each encrypted headline appearing in the buffer. From top to bottom. No indication will be done about which headline is being processed at any given point. The user may need to count. Of course, the last scenario is not very user-friendly, but I doubt that many users really use different symmetric encryption keys on different headings in a single file. Nobody bothered enough to implement a more verbose prompt. >>> Probably, though I don't know what else you would put in there which >>> isn't already there. Feel free to supply a PR or patch once you have >>> worked it out. However, as noted in the commentary section, org-crypt.el >>> is really a very light-weight wrapper around functions in epg.el, so >>> likely the first place to start when looking for documentation and >>> examples is the epa/epg/easyPG manual >> >> Not good at writing these days, buy I'll consider. > > Please do. Often the best documentation comes from end users rather than > developers. The developer is often too close to the code, which makes it > harder for them to appreciate what users don't understand/know. For a > user, the challenges they encounter are often 'fresher' and puts them in > a better place to explain things. People on the list will provide > feedback to help clarify and improve what you write. Fully agree. It is too easy to skip "obvious" things in documentation when you know ins and outs of the code. Best, Ihor ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: org-crypt ? 2022-06-12 0:28 ` Tim Cross 2022-06-12 1:37 ` Ihor Radchenko @ 2022-06-12 3:07 ` David Masterson 2022-06-12 4:04 ` Tim Cross 2022-06-12 4:15 ` Ihor Radchenko 1 sibling, 2 replies; 14+ messages in thread From: David Masterson @ 2022-06-12 3:07 UTC (permalink / raw) To: Tim Cross; +Cc: emacs-orgmode Tim Cross <theophilusx@gmail.com> writes: > David Masterson <dsmasterson@gmail.com> writes: > >> Tim Cross <theophilusx@gmail.com> writes: >> >>> Warning: I have not used org-crypt for many years. These days, I just >>> use a .org.gpg extensions and symmetrically encrypt the whole file. >>> However, I think I can probably answer some of your questions - >> >> Hmm, two questions that this brings up: >> >> 1. Do you access your files on (say) iPhone? >> 2. Do you store your files in Git (say Github)? >> > > Well, yes and yes, but I don't tend to need to access encrypted files on > iphone. I do have encrypted files in github. For example, I have a > private repository of files I share across computers (Linux and macOS). > Some of these files are gpg encrypted. Exactly the system I'm looking for! (or almost) I am already using (Emacs, Org, MaGit) on Linux, (BeOrg, Working Copy) on the iPhone, and a Github private repository. This is complicated to the new user (like me w/ 42yrs [off and on] of Emacs usage), but Git has saved me a number of times on resyncing if I change things on both sides. But I would like to use more encryption with this. When it's secure, I'd like to roll it out on my family's iPhones as well. > Determining which parts are encrypted isn't hard. However, how do you > know which key to associate with each bit? The only solution I can see > is to attempt every known symetric key to each chunk until one works and > if none of the known ones work, ask for another one. This could be how > it works, but that seems extremely inefficient and difficult to manage > to me. > > The other problem is how to prompt for the key. Lets say you have 10 > encrypted items in an org file, each encrypted with a different > symmetric key. Org has to ask the user for the key for each one. What > goes into the prompt to give the user an idea which of the 10 different > keys to enter? I guess it could say "Entger key for chunk 1:" and "Enter > key for chunk2":, but I'm not sure that is good. The system could use > the section heading, but I didn't see anything to indicate it would do > that when scanning the code, but perhaps I missed it. > > >> >> Hmm, you're suggesting you don't use org-(en/de)crypt. The manual >> doesn't spell out very well how to do that. Where do you put your key >> for symmetric encryption? >> > > With symmetric encryhption, there is no 'key' to put anywhere. The key > is the password/passphrase. You only have a 'key' with asymmetric > encryption, where you have two files, the private and public key. These > are managed by gnupg in the .gnupg directory (typically). Problem with my terminology, I guess. > One thing which you may find helpful is to look at the 3 separate layers > involved with org-crypt as they all have their own manual and each layer > provides some of the information you are after i.e. > > - Encryption/decryption and key management is largely handled by gnupg. > The documentation associated with gnupg is pretty good and will likely > answer many of your questions. Hmm. Okay. > - The interface to gnupg from within Emacs is managed by easyPG, which > basically consists of two libraries - epa, which provides the Emacs > interface layer for gnupg and epg, which provides a library that can be > used by Emacs packages to access gnupg. This is primarily what org-crypt > uses. The easyPG manual is pretty good and contains some good > information. Okay. > - org-crypt, which is a very light-weight wrapper around the epg > functions. It provides the basic integration between org and easyPG. Org-crypt needs more documentation to point to the other two as well as provide a simple example to help people know if they are on the right track. >>> What is your use case where you need multiple symmetric encryption keys >>> in one file? >> >> One broken key doesn't give up the whole file. >> > > That might be a false sense of security. The big weakness with symmetric > encryption is they key/passphrase. It suffers from the same problem of > passwords (which are mostly 'human'). If one of your keys is weak enough > it has been broken, the odds are pretty high that the others will be as > well. The likelihood with symmetric encrytion is higher because > everything is based on the key/passphrase you supply. With asymmetric > encryption, the key is not related to the passphrase. To breach the key, > someone needs to either get hold of the private key and the passphrase > (assuming it has a passphrase, which is normal practice for secure > setup) or they need to crack the very strong key. > > For that use case, I would use asymmetric rather than symmetric > encryuption. Hmm. Point taken. I have to work on understanding asymmetric encryption with org-crypt more. Thanks -- David Masterson ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: org-crypt ? 2022-06-12 3:07 ` David Masterson @ 2022-06-12 4:04 ` Tim Cross 2022-06-12 6:19 ` David Masterson 2022-06-12 4:15 ` Ihor Radchenko 1 sibling, 1 reply; 14+ messages in thread From: Tim Cross @ 2022-06-12 4:04 UTC (permalink / raw) To: David Masterson; +Cc: emacs-orgmode David Masterson <dsmasterson@gmail.com> writes: > Tim Cross <theophilusx@gmail.com> writes: > >> David Masterson <dsmasterson@gmail.com> writes: >> >>> Tim Cross <theophilusx@gmail.com> writes: >>> >>>> Warning: I have not used org-crypt for many years. These days, I just >>>> use a .org.gpg extensions and symmetrically encrypt the whole file. >>>> However, I think I can probably answer some of your questions - >>> >>> Hmm, two questions that this brings up: >>> >>> 1. Do you access your files on (say) iPhone? >>> 2. Do you store your files in Git (say Github)? >>> >> >> Well, yes and yes, but I don't tend to need to access encrypted files on >> iphone. I do have encrypted files in github. For example, I have a >> private repository of files I share across computers (Linux and macOS). >> Some of these files are gpg encrypted. > > Exactly the system I'm looking for! (or almost) > > I am already using (Emacs, Org, MaGit) on Linux, (BeOrg, Working Copy) > on the iPhone, and a Github private repository. This is complicated to > the new user (like me w/ 42yrs [off and on] of Emacs usage), but Git has > saved me a number of times on resyncing if I change things on both > sides. But I would like to use more encryption with this. When it's > secure, I'd like to roll it out on my family's iPhones as well. > I suspect the challenge will be in getting gnuPG support on the iphone. I've never tried that and don't know if there is a gnuPG version for iphone. That would be the first thing I'd try to verify. If you can encrypt/decrypt on the iphone, it should be possible to handle the rest. The one problem you can run into with gpg files and git is that git can see those as binary files. The general 'rule of thumb' is that you don't put binary files into git. The thinking is that binary files are typically generated from some text file and it is the original source text which you would put into git. There are also some minor technical issues, mainly with large binary files, which make git somewhat inefficient. The big issue however is that by default, most git forges, like github, have a limit on the siace of binary files they will allow in git. That size is reasonably large, but there is a limit which I think you have to pay to have increased. I've not run into that limit with encrypted files, but have with PDFs and other formats I wanted to include in my git repo. <snip> > > Hmm. Point taken. I have to work on understanding asymmetric > encryption with org-crypt more. > The main downside with asymmetric encryption is that if you want different keys you have to create lots of different keys and manage them securely. With symmetric encryption, you just have to remember passwords/passphrases. The big advantage with asymmetric is that encryption and decryption are separated. Someone can have your public key and can encrypt data which only you (or whomever has the private key) can decrypt. Based on your desire to roll something out to your family, I would actually recommend a different route. There are some very good open source password managers out there. Many of them, for a very small fee (i.e. $12pa), will also provide a few Gb of encrypted file storage as well. What I find good with some of these is that provided you select the right one, you have full control over the encryption (so the server the provider uses has your data encrypted and only you have the key) and they usually have mobile device support. The big benefit is that the mobile clients will take care of the encryption/decryption bits. Personally, I've been using ipassword for years, but if I was setting things up now from scratch, I would be chekcing out bitwarden and keypass (as well as some others) as possible alternatives. These password managers have grown to be alot more than just password managers. They typically have some support for encrypted files as well as 'secure notes'. The basic architecture of many (especailly the open source ones) is basically the same as your outlined use case - benefit is they have taken care of all the nitty gritty stuff and most of them are based on the same technology (i.e. gnupg under the hood). The other benefit is you also often get support for 2FA/OTP, hardware keys like yubikey etc. Such solutions are also often easier for family members who may not be as technical oriented to learn/use. I also used lastpass at one of the businesses I worked for. While it was a pretty good product when it was first released, I would no longer recommend them. The quality and reliability seems ot have dropped off significantly once they were sold to LogMeIn. I did use borg, though not so much since I retired. It worked OK, but I really just used it to manage tasks and keep notes using my tablet or iphone (I usually used my ipad for meetings). However, since retirement and no longer needing to interact with 'enterprise' environments, my macbook and ipad are pretty much dust collectors! Everything these days is just on my Linux system. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: org-crypt ? 2022-06-12 4:04 ` Tim Cross @ 2022-06-12 6:19 ` David Masterson 0 siblings, 0 replies; 14+ messages in thread From: David Masterson @ 2022-06-12 6:19 UTC (permalink / raw) To: Tim Cross; +Cc: emacs-orgmode Tim Cross <theophilusx@gmail.com> writes: > David Masterson <dsmasterson@gmail.com> writes: > >> Tim Cross <theophilusx@gmail.com> writes: >> >>> David Masterson <dsmasterson@gmail.com> writes: >>> >>>> Tim Cross <theophilusx@gmail.com> writes: >>>> >>>>> Warning: I have not used org-crypt for many years. These days, I just >>>>> use a .org.gpg extensions and symmetrically encrypt the whole file. >>>>> However, I think I can probably answer some of your questions - >>>> >>>> Hmm, two questions that this brings up: >>>> >>>> 1. Do you access your files on (say) iPhone? >>>> 2. Do you store your files in Git (say Github)? >>>> >>> >>> Well, yes and yes, but I don't tend to need to access encrypted files on >>> iphone. I do have encrypted files in github. For example, I have a >>> private repository of files I share across computers (Linux and macOS). >>> Some of these files are gpg encrypted. >> >> Exactly the system I'm looking for! (or almost) >> >> I am already using (Emacs, Org, MaGit) on Linux, (BeOrg, Working Copy) >> on the iPhone, and a Github private repository. This is complicated to >> the new user (like me w/ 42yrs [off and on] of Emacs usage), but Git has >> saved me a number of times on resyncing if I change things on both >> sides. But I would like to use more encryption with this. When it's >> secure, I'd like to roll it out on my family's iPhones as well. >> > > I suspect the challenge will be in getting gnuPG support on the iphone. > I've never tried that and don't know if there is a gnuPG version for > iphone. That would be the first thing I'd try to verify. If you can > encrypt/decrypt on the iphone, it should be possible to handle the > rest. Ah, that's the "almost" that I'm still figuring out. BeOrg can work with symmetric encryption and org-crypt (perhaps also epa) which stores the encrypted stuff as text in the Org file (therefore, fully Git compatible). I'll have to look at BeOrg more about asymmetric encryption as well as full file encryption. > The one problem you can run into with gpg files and git is that git can > see those as binary files. The general 'rule of thumb' is that you don't > put binary files into git. The thinking is that binary files are > typically generated from some text file and it is the original source > text which you would put into git. There are also some minor technical > issues, mainly with large binary files, which make git somewhat > inefficient. > The big issue however is that by default, most git forges, like github, > have a limit on the siace of binary files they will allow in git. That > size is reasonably large, but there is a limit which I think you have to > pay to have increased. I've not run into that limit with encrypted > files, but have with PDFs and other formats I wanted to include in my > git repo. Yeah, saw some discussion on that and shied away... > Based on your desire to roll something out to your family, I would > actually recommend a different route. There are some very good open > source password managers out there. Many of them, for a very small fee > (i.e. $12pa), will also provide a few Gb of encrypted file storage as > well. Been using free versions of KeePass w/ Cloud storage. Very powerful on Windows. Reasonable elsewhere. The family is relatively easy when I have a stable environment. That involves full documentation with key things encrypted. I'm not sure about having them use BeOrg yet, though. > What I find good with some of these is that provided you select the > right one, you have full control over the encryption (so the server the > provider uses has your data encrypted and only you have the key) and > they usually have mobile device support. The big benefit is that the > mobile clients will take care of the encryption/decryption bits. I wanted to use Keybase (encrypted cloud-based Git) which would've covered everything, but it seems to have been bought out and died. -- David Masterson ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: org-crypt ? 2022-06-12 3:07 ` David Masterson 2022-06-12 4:04 ` Tim Cross @ 2022-06-12 4:15 ` Ihor Radchenko 2022-06-12 5:55 ` David Masterson 1 sibling, 1 reply; 14+ messages in thread From: Ihor Radchenko @ 2022-06-12 4:15 UTC (permalink / raw) To: David Masterson; +Cc: Tim Cross, emacs-orgmode David Masterson <dsmasterson@gmail.com> writes: >> For that use case, I would use asymmetric rather than symmetric >> encryuption. > > Hmm. Point taken. I have to work on understanding asymmetric > encryption with org-crypt more. You just need to set org-crypt-key to your key name. Best, Ihor ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: org-crypt ? 2022-06-12 4:15 ` Ihor Radchenko @ 2022-06-12 5:55 ` David Masterson 2022-06-14 4:13 ` Ihor Radchenko 0 siblings, 1 reply; 14+ messages in thread From: David Masterson @ 2022-06-12 5:55 UTC (permalink / raw) To: Ihor Radchenko; +Cc: Tim Cross, emacs-orgmode Ihor Radchenko <yantar92@gmail.com> writes: > David Masterson <dsmasterson@gmail.com> writes: > >>> For that use case, I would use asymmetric rather than symmetric >>> encryuption. >> >> Hmm. Point taken. I have to work on understanding asymmetric >> encryption with org-crypt more. > > You just need to set org-crypt-key to your key name. > As well as setup GnuPG properly... ;-) -- David Masterson ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: org-crypt ? 2022-06-12 5:55 ` David Masterson @ 2022-06-14 4:13 ` Ihor Radchenko 0 siblings, 0 replies; 14+ messages in thread From: Ihor Radchenko @ 2022-06-14 4:13 UTC (permalink / raw) To: David Masterson; +Cc: Tim Cross, emacs-orgmode David Masterson <dsmasterson@gmail.com> writes: >> You just need to set org-crypt-key to your key name. >> > > As well as setup GnuPG properly... ;-) I remeber using https://wiki.gentoo.org/wiki/GnuPG as a reference. Best, Ihor ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: org-crypt ? 2022-06-10 4:08 org-crypt ? David Masterson 2022-06-11 3:35 ` Tim Cross @ 2022-06-11 4:17 ` Ihor Radchenko 2022-06-11 21:17 ` David Masterson 1 sibling, 1 reply; 14+ messages in thread From: Ihor Radchenko @ 2022-06-11 4:17 UTC (permalink / raw) To: David Masterson; +Cc: emacs-orgmode David Masterson <dsmasterson@gmail.com> writes: > I think I've gotten org-crypt working, but I think some things are not > making sense (it might be just me): > > 1. I've set org-crypt-key to nil (symmetric encryption). > 2. Can I use a different encryption key for each encrypted paragraph? Yes. For each individual encrypted headline contents. Just enter different passwords when queried to encrypt. > 3. Does org-encrypt only ask for the key the first time? No. Strictly speaking it may depend on you GnuPG config. Not by default. > 4. Does org-decrypt only ask for the key the first time? Depends on your GnuPG config. AFAIK, GnuPG will not cache keys by default. > 5. How do they know where to get the password when they don't ask? From gpg-agent. > 6. Shouldn't org-crypt docs in org manual have examples? We can mention org-encrypt-entry/entries and org-decrypt-entry/entries. Would it help? Best, Ihor ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: org-crypt ? 2022-06-11 4:17 ` Ihor Radchenko @ 2022-06-11 21:17 ` David Masterson 2022-06-11 21:46 ` Ignacio Casso 0 siblings, 1 reply; 14+ messages in thread From: David Masterson @ 2022-06-11 21:17 UTC (permalink / raw) To: Ihor Radchenko; +Cc: emacs-orgmode Ihor Radchenko <yantar92@gmail.com> writes: > David Masterson <dsmasterson@gmail.com> writes: > >> I think I've gotten org-crypt working, but I think some things are not >> making sense (it might be just me): >> >> 1. I've set org-crypt-key to nil (symmetric encryption). >> 2. Can I use a different encryption key for each encrypted paragraph? > > Yes. For each individual encrypted headline contents. Just enter > different passwords when queried to encrypt. > >> 3. Does org-encrypt only ask for the key the first time? > > No. Strictly speaking it may depend on you GnuPG config. Not by default. > >> 4. Does org-decrypt only ask for the key the first time? > > Depends on your GnuPG config. AFAIK, GnuPG will not cache keys by default. > >> 5. How do they know where to get the password when they don't ask? > > From gpg-agent. > >> 6. Shouldn't org-crypt docs in org manual have examples? > > We can mention org-encrypt-entry/entries and org-decrypt-entry/entries. > Would it help? Yes. Also, any basic config of gpg to work with. Also, a simple test example to show what should happen to help users determine if their heading the right way. Thanks -- David Masterson ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: org-crypt ? 2022-06-11 21:17 ` David Masterson @ 2022-06-11 21:46 ` Ignacio Casso 0 siblings, 0 replies; 14+ messages in thread From: Ignacio Casso @ 2022-06-11 21:46 UTC (permalink / raw) To: David Masterson; +Cc: Ihor Radchenko, emacs-orgmode Hello, I'll take this chance to bring this up again, since it's also an issue concerning org-crypt and it may be relevant if you decide to update org-crypt's documentation: https://lists.gnu.org/archive/html/emacs-orgmode/2021-12/msg00675.html. Regards, Ignacio David Masterson <dsmasterson@gmail.com> writes: > Ihor Radchenko <yantar92@gmail.com> writes: > >> David Masterson <dsmasterson@gmail.com> writes: >> >>> I think I've gotten org-crypt working, but I think some things are not >>> making sense (it might be just me): >>> >>> 1. I've set org-crypt-key to nil (symmetric encryption). >>> 2. Can I use a different encryption key for each encrypted paragraph? >> >> Yes. For each individual encrypted headline contents. Just enter >> different passwords when queried to encrypt. >> >>> 3. Does org-encrypt only ask for the key the first time? >> >> No. Strictly speaking it may depend on you GnuPG config. Not by default. >> >>> 4. Does org-decrypt only ask for the key the first time? >> >> Depends on your GnuPG config. AFAIK, GnuPG will not cache keys by default. >> >>> 5. How do they know where to get the password when they don't ask? >> >> From gpg-agent. >> >>> 6. Shouldn't org-crypt docs in org manual have examples? >> >> We can mention org-encrypt-entry/entries and org-decrypt-entry/entries. >> Would it help? > > Yes. Also, any basic config of gpg to work with. Also, a simple test > example to show what should happen to help users determine if their > heading the right way. > > Thanks ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2022-06-14 4:13 UTC | newest] Thread overview: 14+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-06-10 4:08 org-crypt ? David Masterson 2022-06-11 3:35 ` Tim Cross 2022-06-11 21:29 ` David Masterson 2022-06-12 0:28 ` Tim Cross 2022-06-12 1:37 ` Ihor Radchenko 2022-06-12 3:07 ` David Masterson 2022-06-12 4:04 ` Tim Cross 2022-06-12 6:19 ` David Masterson 2022-06-12 4:15 ` Ihor Radchenko 2022-06-12 5:55 ` David Masterson 2022-06-14 4:13 ` Ihor Radchenko 2022-06-11 4:17 ` Ihor Radchenko 2022-06-11 21:17 ` David Masterson 2022-06-11 21:46 ` Ignacio Casso
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/emacs/org-mode.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).