Securizing Org files with Org-crypt

Wed, Feb 23, 2022 2-minute read

Inspiration

This comes from the need that I am using python in org-babel to integrate my PM workflow between org-mode and JIRA.

I find myself very productive and confortable editing plain text for MoM, TODOs, and actions, and with org-mode I managed to structure the Just-in-time management workflow needed in my daily-basis.

Probably one day I will post something in regard of some kind of “Literate-Project Management”. A mix between GTD-Agile and org-mode. With a lot of automation (python and Selenium).

Anyway, let’s get to the point: I developed some code using the API to interact with JIRA and the integration is made with basic authentication, so it is nice to encript the sections in which the user and password is present.

After small search I found a tool to do so. org-crypt

Set-up

Requirement org-crypt.

Documentation:

https://orgmode.org/worg/org-tutorials/encrypting-files.html

You should add something like this:


(require 'org-crypt)
(org-crypt-use-before-save-magic)
(setq org-tags-exclude-from-inheritance (quote ("crypt")))
;; GPG key to use for encryption
;; Either the Key ID or set to nil to use symmetric encryption.
(setq org-crypt-key nil)

Then get your keys.

Documentation:

https://gnupg.org/gph/en/manual.html#INTRO


gpg --gen-key

You will be prompted to type your full name and to select one phrasekey, choose yours and you will get something similar to this. (The below data has been faked from the original, but you get the idea).


gpg: clave C88416C503929ADB marcada como de confianza absoluta
gpg: creado el directorio '/home/danioche/.gnupg/openpgp-revocs.d'
gpg: certificado de revocación guardado como '/home/danioche/.gnupg/openpgp-revocs.d/845AED494CCA194348E2A473C88416C503929ADB.rev'
claves pública y secreta creadas y firmadas.

pub   rsa3072 2022-02-23 [SC] [caduca: 2024-02-23]
      845AED494CCA194348E2A48345335278416503929ADB
uid                      Full Name <your.email@gmail.com>
sub   rsa3072 2022-02-23 [E] [caduca: 2024-02-23]


gpg --list-keys

Testing

If we use the default configuration everytime we save the org file a pop-up will show to encript the section, but I want to use the curren configured PGP key, to do so you will need to specify de ID of your pub pgp key. You can list it as shown in the section above and you can configure it on your .emacs as shown in the set-up section.

That is:


(setq org-crypt-key "845AED494CCA194313225473C88416C503929ADB")

Then as soon as you save the :crypt: sections will be encripted using your key stored.

In order to decript tye section you will need to use org-decrypt-entry once you are (your cursor) in the entry desired to be decrypted. Secret Phrase will be requested.

Test crypt

—–BEGIN PGP MESSAGE—–

hQGMA9k33lieqbL8AQv8DCWzttlsrSxP9dRYEh27lcG+MJrfHgZsPN84W0d+7eQn 8OOnDTv2ZlZ40u5p3REXET2bpAA3i3rvZ3WR+R5cdptCIY+bzXTwPC/8pgXci7SD EStqrUmDGddOhSqPXEVNBw2ZwpeEPDEa1I0BDVUSdWLe/5RsD1G9i1OwbibGD01P 7GZ51+YvUJiXxrWZNOTHir+GdGHzN2Gz8LyUwEtikpiT2EF2NQv+p2AMuBxFQGFj /tyvyji4s4FH33ETRc8XeLLhSiDs5btMlflVtI3eo6Bqpad0ARIQemIVjxYW5vJr 4Njdwp7zLB7Wj/ZBq5DxIQ88aWvwWv+rZ0ALzUDPgdnk6kso2UdMkZb4Rdksw5u4 6epV7jfk5iUNmYZXEzbYE1h4JIgQmEd727Ty1AAO+3vwWVkhZGLhW91VkIuaO3/2 7YRxWUBIeU4TwdW4kZYqeiJvnccNICdaNXIDpS4PUW0i4B+7+TMrWtKJLcr/Nf7c bsNaP48U9UzhvpLLYDyd0qsB4WATgosqOb7ehIk8+z7Ax4X2L68FLVK+8GCqXfj4 ZzWVUNOB8C28YYsuzqKqyDUA6Y7siJ8jZjFC8eqUixgdzUM7zZm/GcJaoU12lxy7 UzyMKyCXVaAyqZq2kbCBDVdripxX5b4NLKwrjdE6k9xce2o1ckjkcJMAZWbpDKrg +bd+v4t0HNomjY1B+iPcuiCWkkzLzQlBXOx0bm8pDU9rT8gIsqnQ2lIJ/e4= =0UkC —–END PGP MESSAGE—–