~protesilaos/denote

2

Suggestions on how to encrypt denote notes?

Paul van Gelder <paul.vangelder@xs4all.nl>
Details
Message ID
<1123434736.64290.1658954014673@kpc.webmail.kpnmail.nl>
DKIM signature
missing
Download raw message
Hello all,
 
Apologies if I am asking in the wrong forum.
 
I've just installed denote and really like it so far; I am currently exploring all customisation options. I would like to be able to encrypt/decrypt all/certain denote's notes. Can anyone suggest a best practice for that? Should I be using org-crypt, or perhaps use .gpg as file type? I have never used encryption before, but I intend to use (some of) these notes for confidential topics and I would like to do it securely. 
 
Ideally, it would be a solution that would have the encrypted notes in one cloud directory that I can access via different emacses on different computers with different OS.
 
Thanks for any suggestions, or pointing me towards the right forum to ask such questions!
 
Kind regards,
 
Paul
Details
Message ID
<87a68uvubf.fsf@protesilaos.com>
In-Reply-To
<1123434736.64290.1658954014673@kpc.webmail.kpnmail.nl> (view parent)
DKIM signature
missing
Download raw message
> From: Paul van Gelder <paul.vangelder@xs4all.nl>
> Date: Wed, 27 Jul 2022 22:33:34 +0200
>
> Hello all,

Hello Paul,

> Apologies if I am asking in the wrong forum.

No need to apologise: you did nothing wrong.  Besides, this is the right
place to discuss everything related to Denote.  It is open to all users.

> I've just installed denote and really like it so far; I am currently
> exploring all customisation options. I would like to be able to
> encrypt/decrypt all/certain denote's notes. Can anyone suggest a best
> practice for that? Should I be using org-crypt, or perhaps use .gpg as
> file type? I have never used encryption before, but I intend to use
> (some of) these notes for confidential topics and I would like to do
> it securely.

Before figuring out a suggested workflow, I need to make at least some
small changes to Denote in order to make it work properly with files
ending in ".gpg".  Will do it as soon as I send out this email.

Once that is done, Denote should have no role in the matter.  This is
standard Emacs procedure.  The way I encrypt files is to use the command
'epa-dired-do-encrypt' which is bound by default to ': e' (without the
quotes).

Though I only do this manually.  I suppose you need an automatic
solution?  If yes, I need to research the available options.  Perhaps it
could be done with a little help from Denote: it would append a ".gpg"
extension to the file and then arrange fr a hook or file-local variable
that performs the encryption.

I leave the workflow with a question mark for now.  Perhaps someone else
has a better idea.

> Ideally, it would be a solution that would have the encrypted notes in
> one cloud directory that I can access via different emacses on
> different computers with different OS.

Is this directory a subdirectory of 'denote-directory'?  Is it part of
your regular notes, that is?  Or do you want it to be strictly separate
from them?

We do support strict separation.  These are called "silos".  You can
read about them in the manual.  If you have the GNU ELPA package
installed, evaluate:

    (info "(denote) Maintain separate directories for notes")

Or visit: <https://protesilaos.com/emacs/denote#h:15719799-a5ff-4e9a-9f10-4ca03ef8f6c5>

> Thanks for any suggestions, or pointing me towards the right forum to
> ask such questions!

You are welcome!  More to follow soon.

All the best,
Protesilaos (or simply "Prot")

-- 
Protesilaos Stavrou
https://protesilaos.com
Details
Message ID
<87zggri18d.fsf@protesilaos.com>
In-Reply-To
<87a68uvubf.fsf@protesilaos.com> (view parent)
DKIM signature
missing
Download raw message
Hello again Paul,

> From: Protesilaos Stavrou <info@protesilaos.com>
> Date: Thu, 28 Jul 2022 05:34:44 +0300
>
> Before figuring out a suggested workflow, I need to make at least some
> small changes to Denote in order to make it work properly with files
> ending in ".gpg".  Will do it as soon as I send out this email.

I made that change.

> Once that is done, Denote should have no role in the matter.  This is
> standard Emacs procedure.  The way I encrypt files is to use the command
> 'epa-dired-do-encrypt' which is bound by default to ': e' (without the
> quotes).

I have been re-reading about file encryption in Emacs and I will update
the Denote manual accordingly.  Though I also need to know what your
preferences and/or intended workflow are.

Either you will do it manually through Dired, as I mentioned before, or
you will have to:

1. Append ".gpg" to the file name.

2. Insert a file-local variable with an email for 'epa-file-encrypt-to',
   as noted here:
   <https://www.gnu.org/software/emacs/manual/html_node/epa/Encrypting_002fdecrypting-gpg-files.html>

About point 1, we can introduce an opt-in user option in Denote which
adds the extension.

About point 2, there are two types of encryption: (i) password-based and
(ii) key-based.  The former is known as "symmetric encryption" and takes
a per-file password which the user provides on the spot.  I think this
will be inefficient at scale.  I strongly encourage the key-based
approach.

When trying to save a ".gpg" file for the first time, Emacs will produce
a key selection buffer.  The user places the point over the desired key
and types C-c C-c to confirm it.  If a gpg-agent is running and the
password is already cached, no further dialog is produced, else the
key's password is required.

To skip the key selection step, the user can specify a file-local
variable for the 'epa-file-encrypt-to' variable.  In org-mode,
file-local variables can be added to the end with something like this:

      #+BEGIN_COMMENT
      Local variables:
      epa-file-encrypt-to: ("name@example.tld")
      end:
      #+END_COMMENT

Note though that those are not read as soon as they are inserted.  The
file needs to be saved and visited again.  So it would not work if you
were to create a new encrypted file outright.

I thus think it is better to use a directory-local variable.  That way
we don't need to write the 'epa-file-encrypt-to' in each file while we
also get its value automatically.  To this end, we create a file named
".dir-locals.el" at the level of the desired directory and add something
like:

    ((nil . ((epa-file-encrypt-to . ("name@example.tld")))))

[ If you already have a .dir-locals.el, you need to only append the new
  variable, not the entire form quoted above.  When in doubt, ask me. ]

With the 'epa-file-encrypt-to' all set, any new file ending in ".gpg"
will be saved in encrypted form without questions asked (assuming the
gpg-agent is running, else you need the key's password).

Is this information helpful?  Should we arrange for Denote to append the
".gpg" extension if the user asks for it?  If yes, the user can then
write a simple wrapper command which 'let' binds that user option, so
the user could create encrypted files only on demand (we will document
such a function in the manual).

That's all for now.  If anyone reading this has better ideas, please let
me know.

All the best,
Protesilaos (or simply "Prot")

-- 
Protesilaos Stavrou
https://protesilaos.com
Reply to thread Export thread (mbox)