### Clinton Boys

Australian data scientist and mathematician, living in Tel Aviv.

# Encrypting files in emacs org-mode

People who use org-mode in emacs for sensitive things like keeping a private journal, or recording their unprocessed thoughts on all manner of subjects, have reason to want their files securely encrypted, particularly if they use a cloud syncing service, like Dropbox or iCloud, which is not end-to-end encrypted.

This is usually accomplished in emacs using GPG, free software that allows a user to generate asymmetric key pairs which they can use to encrypt and decrypt files (and send and receive encrypted messages). I won’t go into the mathematics behind how public-key cryptography works, and it really isn’t important for this use case, as you can wrap the private key with a short password, which you can enter whenever you want to decrypt a message or file.

In order to work seamlessly, encryption in emacs should work as follows:

• desired files (not every file, this should be configurable) should be encrypted when created or saved
• the encrypted file is then saved to disk (and synced to the cloud if desired)
• when the encrypted file is opened, the user is prompted to enter the passphrase for their private key (the prompt can only appear once a session, or on machine restart, or every time, depending on the user’s needs)

This is all relatively easy to accomplish in emacs using GPG and the EasyPG package. Worth mentioning this is all on macOS 10.15.2 Catalina with GNU Emacs 26.2.

### Setting up GPG

You’ll need to download GnuPG; on macOS if you have brew installed you can just

brew install gnupg21


Once the install has finished you can set up your key with

gpg --full-generate-key


and follow the prompts to create a asymmetric key pair.

• You’ll want to select “(1) RSA and RSA (default)” as the type of key you want; this is just to signify you want to generate a standard RSA private key, and also a corresponding public key.
• You need to choose the size of your key in bits (higher is better in terms of security and since you’re never going to interact with the key you may as well go with that).
• You can set an expiry time for your private key; unless you know what you’re doing I wouldn’t suggest trying to do this.
• You’ll also need to enter your name and email (GPG makes a point of saying “your real name”, I think this is more because of how public keyservers are widely used in Germany, obviously there’s no need to use your real name unless you want people to be able to find your public key when they search for you in public keyservers).
• And finally you’ll need to enter a password that protects your private key. If you lose this password you will be unable to decrypt any of your encrypted files. There’s no “forgot my password” feature. Unless you discover a way to crack RSA encryption, your encrypted files are lost forever if you lose your password.

It’s also important to point out that you need to keep the actual private key file, which GnuPG stores by default in ~/.gnupg in order to decrypt (not just the password). So if you lose the computer with the key on it, you lose the key.

### Configuring emacs

I added the following to my emacs init.el file, where MY_EMAIL_ADDRESS is the email address I entered when I configured the key above.

(use-package epa-file
:ensure nil
:config
:custom
(epa-file-select-keys 'silent))

(use-package org-crypt
:ensure nil  ;; included with org-mode
:after org
:config
(org-crypt-use-before-save-magic)
(setq org-tags-exclude-from-inheritance (quote ("crypt")))
:custom