Safeguarding Secrets with GnuPG
The best way to ensure that private information stays private is to keep it all in your head and never divulge it unless tortured! That ain't going to cut it in this day and age when we have more than a few things to remember. The most common way is to use some kind of data safe where information can be stored with some level of privacy.
Now, a disclaimer about this post and use of technology in securing your secrets. There are many ways in which your private data could be compromised. While the underlying math of cryptography seems foolproof with technology we have now, a radically new approach, however unlikely but not impossible, could render it vulnerable. But the good news is that, we can trust the math. And the bad news? We can never trust the implementations. Cryptography implementations are plagued with bugs which can go undetected for years. Many algorithms once considered secure are now considered unfit. Your computer can be bugged at the hardware level. There is a possibility that even a computer not connected to the internet is vulnerable to eavesdropping.
With that said, let's now dive into some practical techniques to protect our documents. The tool we will use is GnuPG which is an implementation of OpenPGP and RFC 4080 . This is a good choice as it is completely open source. In the world of security, an implementation that is reviewed by people all over the world is more trustworthy than a closed implementation where you would have to trust a corporation.
GnuPG
In addition to encryption and decryption of documents, GnuPG can also digitally sign and verify signatures. We won't be using those capabilities here. GnuPG can encrypt documents using either symmetric or asymmetric scheme. A symmetric scheme uses the same key to encrypt and decrypt. An asymmetric scheme uses the public key to encrypt and private key to decrypt. Asymmetric scheme allows anybody to communicate securely with anyone whose public key is accessible.
For our purposes, we can use either scheme.
Installation
Installation depends on the Linux distribution you are using. For Debian/Ubuntu/Mint, the following incantation works.
sudo apt-get install gnupg
Key generation
You need to generate a key using the following command. The command asks a number of questions about the type of key (choose RSA & RSA) and identity to be associated with the key.
gpg --gen-key
The generated keys are stored in ~/.gnupg/. It is a splendid idea to
keep copies of this directory. It's highly recommended to use a
passphrase and keep the copies in a safe and secure location. If you
lose these keys, there is no way to get them back! You have been
warned!
Encryption
gpg encrypts using the public key of a user. When you want to
encrypt a document which should be for your use, you simply use your
own user id as shown below. If you had used someone else as the
recipient, only that person would be able to decrypt what you
encrypt.
gpg --encrypt -r user@domain --output doc.gpg doc.txt
This command writes the encrypted output to gpg.txt.
Decryption
A gpg-encrypted document is decrypted by the following
command. Decryption requires the private key of the user whose public
key was used as the encryption key. User can provide access to the key
either by entering the passphrase for the key or by running a
gpg-agent process to which key is made available.
gpg --decrypt foo.gpg
GnuPG in Emacs
The procedures described in the previous section get the job done. It would be cumbersome to decrypt a document and then edit in an editor. Luckily, Emacs users have built-in support for GnuPG (package EasyPG). When Emacs detects an encrypted document, it will ask for your passphrase and save the modified document encrypting it. Nothing could be more convenient!
Another disclaimer here! Anytime you have an decrypted copy of your precious document, you must be aware of the potential of it being leaked. Editors could be keeping backup copies, processes could get swapped to disk, someone could be remotely viewing your screen. Keep all these risk in mind. A big part of security is a healthy dose of paranoia and distrust of everything.