\input texinfo @c -*- mode: texinfo -*- @c %**start of header @setfilename ../../info/epa.info @settitle EasyPG Assistant User's Manual @include docstyle.texi @c %**end of header @set VERSION 1.0.0 @copying This file describes EasyPG Assistant @value{VERSION}. Copyright @copyright{} 2007--2023 Free Software Foundation, Inc. @quotation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with the Front-Cover Texts being ``A GNU Manual,'' and with the Back-Cover Texts as in (a) below. A copy of the license is included in the section entitled ``GNU Free Documentation License''. (a) The FSF's Back-Cover Text is: ``You have the freedom to copy and modify this GNU manual.'' @end quotation @end copying @dircategory Emacs misc features @direntry * EasyPG Assistant: (epa). An Emacs user interface to GNU Privacy Guard. @end direntry @titlepage @title EasyPG Assistant @author by Daiki Ueno @page @vskip 0pt plus 1filll @insertcopying @end titlepage @contents @node Top @top EasyPG Assistant User's Manual @cindex easypg assistant @cindex gnu privacy guard @cindex gnupg EasyPG Assistant is an Emacs user interface to GNU Privacy Guard (GnuPG, @pxref{Top, , Top, gnupg, Using the GNU Privacy Guard}). EasyPG Assistant is a part of the package called EasyPG, an all-in-one GnuPG interface for Emacs. EasyPG also contains the library interface called EasyPG Library. @ifnottex @insertcopying @end ifnottex @c Unfortunately the node names of this manual are not very consistent @c w.r.t. their case. However, case is significant in node names, so @c we probably better should not change these to not break any @c external references. Things are more relaxed for structure titles, @c so we consistently updated them to title-case. @menu * Overview:: * Quick start:: * Commands:: * GnuPG version compatibility:: * GnuPG Pinentry:: * Caching Passphrases:: * Bug Reports:: * GNU Free Documentation License:: The license for this documentation. * Concept Index:: * Key Index:: * Function Index:: * Variable Index:: @end menu @node Overview @chapter Overview @cindex features of easypg assistant EasyPG Assistant is an Emacs frontend application to @acronym{GnuPG, GNU Privacy Guard} that provides the following features: @itemize @bullet @item Key management. @item Cryptographic operations on regions. @item Cryptographic operations on files. @item Dired integration. @item Mail-mode integration. @item Automatic encryption/decryption of *.gpg files. @end itemize @node Quick start @chapter Quick Start @cindex introduction to easypg assistant @cindex gnupg documentation @cindex documentation on gnupg @cindex configuration of gnupg @cindex introduction to gnupg You can use EasyPG Assistant without any Emacs or GnuPG configuration whatsoever, for example to encrypt and decrypt files automatically with symmetric encryption, see @ref{Encrypting/decrypting gpg files}. However, to use the full set of EasyPG Assistant's functions you should have at least some minimum GnuPG configuration in place. John Michael Ashley's GNU Privacy Handbook, available online as part of @uref{https://gnupg.org/documentation/guides.html, the GnuPG user guides}, provides an introduction to GnuPG use and configuration. In contrast to that, the GnuPG manual (@pxref{Top, , Top, gnupg, Using the GNU Privacy Guard}) is more of a reference manual. EasyPG Assistant commands are prefixed by @samp{epa-}. For example, @itemize @bullet @item To browse your keyring, type @kbd{M-x epa-list-keys} @item To create a cleartext signature of the region, type @kbd{M-x epa-sign-region} @item To encrypt a file, type @kbd{M-x epa-encrypt-file} @item To query a key server for keys, type @kbd{M-x epa-search-keys} @end itemize EasyPG Assistant provides several cryptographic features which can be integrated into other Emacs functionalities. For example, automatic encryption/decryption of @file{*.gpg} files. @node Commands @chapter Commands This chapter introduces various commands for typical use cases. @menu * Key management:: * Cryptographic operations on regions:: * Cryptographic operations on files:: * Dired integration:: * Mail-mode integration:: * Encrypting/decrypting gpg files:: * Querying a key server:: @end menu @node Key management @section Key Management @cindex key management @cindex key ring, browsing @cindex browse key ring Probably the first step of using EasyPG Assistant is to browse your keyring. @kbd{M-x epa-list-keys} is corresponding to @samp{gpg --list-keys} from the command line. @deffn Command epa-list-keys name mode Show all keys matched with @var{name} from the public keyring. @end deffn @noindent The output looks as follows. @example u A5B6B2D4B15813FE Daiki Ueno @end example @noindent A character on the leftmost column indicates the trust level of the key. If it is @samp{u}, the key is marked as ultimately trusted. The second column is the key ID, and the rest is the user ID. You can move over entries by @key{TAB}. If you type @key{RET} or click button1 on an entry, you will see more detailed information about the key you selected. @example u Daiki Ueno u A5B6B2D4B15813FE 1024bits DSA Created: 2001-10-09 Expires: 2007-09-04 Capabilities: sign certify Fingerprint: 8003 7CD0 0F1A 9400 03CA 50AA A5B6 B2D4 B158 13FE u 4447461B2A9BEA2D 2048bits ELGAMAL_E Created: 2001-10-09 Expires: 2007-09-04 Capabilities: encrypt Fingerprint: 9003 D76B 73B7 4A8A E588 10AF 4447 461B 2A9B EA2D @end example @cindex private key ring, browsing @noindent To browse your private keyring, use @kbd{M-x epa-list-secret-keys}. @deffn Command epa-list-secret-keys name Show all keys matched with @var{name} from the private keyring. @end deffn @noindent In @file{*Keys*} buffer, several commands are available. The common use case is to export some keys to a file. To do that, type @kbd{m} to select keys, type @kbd{o}, and then supply the filename. Below are other commands related to key management. Some of them take a file as input/output, and others take the current region. @cindex insert keys @deffn Command epa-insert-keys keys Insert selected @var{keys} after the point. It will let you select keys before insertion. By default, it will encode keys in the OpenPGP armor format. @end deffn @cindex import keys @deffn Command epa-import-keys file Import keys from @var{file} to your keyring. @end deffn @deffn Command epa-import-keys-region start end Import keys from the current region between @var{start} and @var{end} to your keyring. @end deffn @deffn Command epa-import-armor-in-region start end Import keys in the OpenPGP armor format in the current region between @var{start} and @var{end}. The difference from @code{epa-import-keys-region} is that @code{epa-import-armor-in-region} searches armors in the region and applies @code{epa-import-keys-region} to each of them. @end deffn @cindex delete keys @deffn Command epa-delete-keys allow-secret Delete selected keys. If @var{allow-secret} is non-@code{nil}, it also delete the secret keys. @end deffn @node Cryptographic operations on regions @section Cryptographic Operations on Regions @cindex cryptographic operations on regions @cindex region operations, cryptographic @cindex decrypt region @deffn Command epa-decrypt-region start end Decrypt the current region between @var{start} and @var{end}. It replaces the region with the decrypted text. @end deffn @deffn Command epa-decrypt-armor-in-region start end Decrypt OpenPGP armors in the current region between @var{start} and @var{end}. The difference from @code{epa-decrypt-region} is that @code{epa-decrypt-armor-in-region} searches armors in the region and applies @code{epa-decrypt-region} to each of them. That is, this command does not alter the original text around armors. @end deffn @cindex verify region @deffn Command epa-verify-region start end Verify the current region between @var{start} and @var{end}. It sends the verification result to the minibuffer or a popup window. It replaces the region with the signed text. @end deffn @deffn Command epa-verify-cleartext-in-region Verify OpenPGP cleartext blocks in the current region between @var{start} and @var{end}. The difference from @code{epa-verify-region} is that @code{epa-verify-cleartext-in-region} searches OpenPGP cleartext blocks in the region and applies @code{epa-verify-region} to each of them. That is, this command does not alter the original text around OpenPGP cleartext blocks. @end deffn @cindex sign region @deffn Command epa-sign-region start end signers type Sign the current region between @var{start} and @var{end}. By default, it creates a cleartext signature. If a prefix argument is given, it will let you select signing keys, and then a signature type. @end deffn @cindex encrypt region @deffn Command epa-encrypt-region start end recipients sign signers Encrypt the current region between @var{start} and @var{end}. It will let you select recipients. If a prefix argument is given, it will also ask you whether or not to sign the text before encryption and if you answered yes, it will let you select the signing keys. @end deffn @node Cryptographic operations on files @section Cryptographic Operations on Files @cindex cryptographic operations on files @cindex file operations, cryptographic @cindex decrypt file @deffn Command epa-decrypt-file file &optional output Decrypt @var{file}. If you do not specify the name @var{output} to use for the decrypted file, this function prompts for the value to use. @end deffn @cindex verify file @deffn Command epa-verify-file file Verify @var{file}. @end deffn @cindex sign file @deffn Command epa-sign-file file signers type Sign @var{file}. If a prefix argument is given, it will let you select signing keys, and then a signature type. @end deffn @cindex encrypt file @deffn Command epa-encrypt-file file recipients Encrypt @var{file}. It will let you select recipients. @end deffn @node Dired integration @section Dired Integration @cindex dired integration @cindex directory operations @cindex multiple file operations EasyPG Assistant extends Dired Mode for GNU Emacs to allow users to easily do cryptographic operations on files. For example, @example M-x dired (mark some files) : e (or M-x epa-dired-do-encrypt) (select recipients by 'm' and click [OK]) @end example @noindent The following keys are assigned. @table @kbd @item : d @kindex : d @findex epa-dired-do-decrypt Decrypt marked files. @item : v @kindex : v @findex epa-dired-do-verify Verify marked files. @item : s @kindex : s @findex epa-dired-do-sign Sign marked files. @item : e @kindex : e @findex epa-dired-do-encrypt Encrypt marked files. @end table @node Mail-mode integration @section Mail-Mode Integration @cindex mail-mode integration @cindex sending signed/encrypted mails EasyPG Assistant provides a minor mode @code{epa-mail-mode} to help user compose inline OpenPGP messages. Inline OpenPGP is a traditional style of sending signed/encrypted emails by embedding raw OpenPGP blobs inside a message body, not using modern MIME format. NOTE: Inline OpenPGP is not recommended and you should consider to use PGP/MIME@. See @uref{https://josefsson.org/inline-openpgp-considered-harmful.html, Inline OpenPGP in E-mail is bad@comma{} Mm'kay?}. @noindent Once @code{epa-mail-mode} is enabled, the following keys are assigned. You can do it by @kbd{C-u 1 M-x epa-mail-mode} or through the Customize interface. Try @kbd{M-x customize-variable epa-global-mail-mode}. @table @kbd @item C-c C-e C-d and C-c C-e d @kindex C-c C-e C-d @kindex C-c C-e d @findex epa-mail-decrypt Decrypt OpenPGP armors in the current buffer. @item C-c C-e C-v and C-c C-e v @kindex C-c C-e C-v @kindex C-c C-e v @findex epa-mail-verify Verify OpenPGP cleartext signed messages in the current buffer. @item C-c C-e C-s and C-c C-e s @kindex C-c C-e C-s @kindex C-c C-e s @findex epa-mail-sign Compose a signed message from the current buffer, using your default key. With a prefix argument, select the key to use interactively. @item C-c C-e C-e and C-c C-e e @kindex C-c C-e C-e @kindex C-c C-e e @findex epa-mail-encrypt @vindex epa-mail-aliases Compose an encrypted message from the current buffer. By default it tries to build the recipient list from @samp{to}, @samp{cc}, and @samp{bcc} fields of the mail header. To include your key in the recipient list, use @samp{encrypt-to} option in @file{~/.gnupg/gpg.conf}. This function translates recipient addresses using the @code{epa-mail-aliases} list. You can also use that option to ignore specific recipients for encryption purposes. With prefix argument, asks you to select the recipients interactively, whether to sign, and which key(s) to sign with. @end table @node Encrypting/decrypting gpg files @section Encrypting and Decrypting gpg Files @cindex encrypting gpg files @cindex decrypting gpg files @cindex gpg files, encrypting and decrypting @cindex automatic file encryption and decryption By default, every file whose name ends with @file{.gpg} will be treated as encrypted. That is, when you open such a file, the decrypted text is inserted in the buffer rather than encrypted one. Similarly, when you save the buffer to a @file{foo.gpg} file, encrypted data is written. When you save a buffer to an encrypted file for the first time, EasyPG Assistant presents you a list of keys in a buffer @file{*Keys*} where you can select recipients for encryption. @xref{Key management}, for a description of the format of that buffer. You can streamline this recipient selection step by customizing variables @code{epa-file-encrypt-to} and @code{epa-file-select-keys} described further below in this section. @cindex symmetric encryption, passphrase entry for If you do not select any recipient during this step, EasyPG Assistant uses symmetric encryption. As a consequence, you have to enter the passphrase twice for every buffer save and every so often for file reads, since the GnuPG Agent caches your passphrase for file reads at least for some time, but not for buffer saves. @xref{Caching Passphrases}, for more information. @cindex public key encryption, passphrase entry for If you have created your own keypair@footnote{For encryption and decryption of files you do not intend to share, you do not have to use an email address as recipient during creation of the keypair. You can also use some free-form string that gives information on the use of the keypair, like @code{backup} or @code{account database}.}, you can select that as recipient, and EasyPG Assistant will use public key encryption for that file. Since GnuPG performs encryption with your public key, it does not prompt for a passphrase for the buffer save, but it will prompt for your passphrase for file reads every now and then, depending on the GnuPG Agent cache configuration. @cindex temporary files created by easypg assistant To encrypt and decrypt files as described above EasyPG Assistant under certain circumstances uses intermediate temporary files that contain the plain-text contents of the files it processes. EasyPG Assistant creates them below the directory returned by function @code{temporary-file-directory} (@pxref{Unique File Names, , Generating Unique File Names, elisp, GNU Emacs Lisp Reference Manual}). If you want to be sure not to leave any plain-text traces, use an encrypted file systems at least for that directory. The file name pattern for encrypted files can be controlled by @code{epa-file-name-regexp}. @defvar epa-file-name-regexp Regexp which matches filenames treated as encrypted. @end defvar You can disable this behavior with @kbd{M-x epa-file-disable}, and then get it back with @kbd{M-x epa-file-enable}. @deffn Command epa-file-disable Disable automatic encryption/decryption of *.gpg files. @end deffn @deffn Command epa-file-enable Enable automatic encryption/decryption of *.gpg files. @end deffn @noindent By default, @code{epa-file} will try to use symmetric encryption, aka password-based encryption. If you want to use public key encryption instead, do @kbd{M-x epa-file-select-keys}, which pops up the key selection dialog. @deffn Command epa-file-select-keys Select recipient keys to encrypt the currently visiting file with public key encryption. @end deffn You can also change the default behavior with the variable @code{epa-file-select-keys}. @defvar epa-file-select-keys Control whether or not to pop up the key selection dialog. @end defvar @vindex epa-file-encrypt-to For frequently visited files, it might be a good idea to tell Emacs which encryption method should be used through file variables (@pxref{File Variables, , Local Variables in Files, emacs, The Emacs Editor}). Use the @code{epa-file-encrypt-to} local variable for this. For example, if you want an Elisp file to be encrypted with a public key associated with an email address @samp{ueno@@unixuser.org}, add the following line to the beginning of the file. @cartouche @lisp ;; -*- epa-file-encrypt-to: ("ueno@@unixuser.org") -*- @end lisp @end cartouche Instead, if you want the file always (regardless of the value of the @code{epa-file-select-keys} variable) encrypted with symmetric encryption, change the line as follows. @cartouche @lisp ;; -*- epa-file-encrypt-to: nil -*- @end lisp @end cartouche Other variables which control the automatic encryption/decryption behavior are below. @defvar epa-file-cache-passphrase-for-symmetric-encryption If non-@code{nil}, cache passphrase for symmetric encryption. The default value is @code{nil}. For security reasons, this option is turned off by default and not recommended to be used. Instead, consider using the GnuPG Agent, which in many cases can do the same job, and does it in a safer way. @xref{Caching Passphrases}, for more information. @end defvar @defvar epa-file-inhibit-auto-save If non-@code{nil}, disable auto-saving when opening an encrypted file. The default value is @code{t}. @end defvar @node Querying a key server @section Querying a Key Server @cindex query key server @cindex key server, querying The @code{epa-search-keys} command can be used to query a @acronym{GPG} key server. Emacs will then pop up a buffer that lists the matches, and you can then fetch (and add) keys to your personal key ring. In the key search buffer, you can use the @kbd{f} command to mark keys for fetching, and then @kbd{x} to fetch the keys (and incorporate them into your key ring). The @code{epa-keyserver} variable says which server to query. @node GnuPG version compatibility @chapter GnuPG Version Compatibility @cindex gnupg version compatibility @cindex version compatibility with gnupg @cindex compatibility with gnupg As of June 2023, there are three active branches of GnuPG: 2.4, 2.2, and 1.4. GnuPG versions 2.4.1 and later suffer from @uref{https://dev.gnupg.org/T6481, GnuPG bug T6481} and are hardly usable with Emacs. There is a patch for that bug available at least for GnuPG version 2.4.1, which your operating system or distribution might provide already. GnuPG 1.4 is considered a legacy version. Besides that, all of those branches mentioned above should work flawlessly with Emacs with basic use-cases. They have, however, some incompatible characteristics, which might be visible when used from Emacs. @itemize @item The key store format used by GnuPG 2.1 is incompatible with 1.4. That means, a key created with GnuPG 2.1 is not visible with 1.4. @item GnuPG 2.1 uses a fixed address for the Unix domain socket used to communicate with @command{gpg-agent}. The @code{GPG_AGENT_INFO} environment variable, which is used by GnuPG 2.0 and 1.4, is ignored. That means, if your system has both GnuPG 2.1 and 1.4, the gpg command from GnuPG 1.4 is not able to use @command{gpg-agent} provided by 2.1 (at least out of box). @item GnuPG 2.1 (2.1.5 or later) has a mechanism to direct the Pinentry password prompt to the Emacs minibuffer. @xref{GnuPG Pinentry}. @end itemize @node GnuPG Pinentry @chapter GnuPG Pinentry @cindex gnupg pinentry @cindex pinentry provided by gnupg An important component of the GnuPG suite is the Pinentry, which allows for secure entry of passphrases requested by GnuPG. GnuPG delivers various different programs as Pinentry, ranging from bland TTY-only @command{pinentry-tty} to fancy graphical dialogs for various desktop environments, like @command{pinentry-gnome3}. Your operating system usually determines which of these is used by default. Note that the selection of a concrete Pinentry program determines only @emph{how} GnuPG queries for passphrases and not @emph{how often}. For the latter question see @ref{Caching Passphrases}. @cindex pinentry, emacs as With some configuration Emacs can also play the role of a Pinentry. The most natural choice, available with GnuPG 2.1.5 and later, is to use Emacs itself as Pinentry for requests that are triggered by Emacs. For example, if you open a file whose name ends with @file{.gpg} using automatic decryption, you most likely also want to enter the passphrase for that request in Emacs. @cindex loopback pinentry This so called @dfn{loopback Pinentry} has the added benefit that it works also when you use Emacs remotely or from a text-only terminal. To enable it: @enumerate @item @vindex allow-loopback-pinentry Ensure that option @code{allow-loopback-pinentry} is configured for @command{gpg-agent}, which should be the default. @xref{Agent Options, , Option Summary, gnupg, Using the GNU Privacy Guard}. @item @vindex epg-pinentry-mode Customize variable @code{epg-pinentry-mode} to @code{loopback} in Emacs. @end enumerate Note that loopback Pinentry does not work with @command{gpgsm}, therefore EasyPG will ignore this setting for it. There are other options available to use Emacs as Pinentry, you might come across a Pinentry called @command{pinentry-emacs} or @command{gpg-agent} option @code{allow-emacs-pinentry}. However, these are considered insecure or semi-obsolete and might not be supported by your operating system or distribution. For example, Debian GNU/Linux supports only the loopback Pinentry described above. @ignore In case somebody requests these: Use Emacs for all GnuPG requests: Make @command{pinentry-emacs} the default Pinentry by means of your operating system. Install package @file{pinentry.el} from GNU ELPA and execute @kbd{M-x pinentry-start} to start the Emacs Pinentry service. @emph{All} GnuPG passphrase requests should then result in a minibuffer prompt in the running Emacs. If Emacs or the Emacs Pinentry service are not running, passphrase requests fail. Use Emacs for all GnuPG requests with other Pinentry as fallback: Ensure the other Pinentry supports Emacs; @command{pinentry-curses} does, for example. Configure @command{gpg-agent} option @code{allow-emacs-pinentry}. Set environment variable @code{INSIDE_EMACS} for the calling process. Install package @file{pinentry.el}. Now if Emacs is running and @kbd{M-x pinentry-start} has been executed, all GnuPG passphrase requests should result in a minibuffer prompt in the running Emacs. If Emacs or the Emacs Pinentry service are not running, GnuPG uses the other Pinentry instead. @end ignore @node Caching Passphrases @chapter Caching Passphrases @cindex caching passphrases @cindex entering passphrases @cindex passphrases, entering and caching Typing passphrases is a troublesome task if you frequently open and close the same file. GnuPG and EasyPG Assistant provide mechanisms to remember your passphrases for a limited time. Using these, you only need to re-enter the passphrase occasionally. However, the configuration is a bit confusing since it depends on your GnuPG installation (@pxref{GnuPG version compatibility}), encryption method (symmetric or public key), and whether or not you want to use GnuPG Agent. As an additional constraint, use of the GnuPG Agent is mandatory for GnuPG 2.0 and later. Here are some questions: @enumerate @item Do you use GnuPG version 2.0 or later instead of GnuPG version 1.4? @item Do you use symmetric encryption rather than public key encryption? @item Do you want to use GnuPG Agent? @end enumerate Here are configurations depending on your answers: @multitable {111} {222} {333} {configuration configuration configuration} @item @b{1} @tab @b{2} @tab @b{3} @tab Configuration @item Yes @tab Yes @tab Must @tab Set up GnuPG Agent. @item Yes @tab No @tab Must @tab Set up GnuPG Agent. @item No @tab Yes @tab Yes @tab Set up elisp passphrase cache. @item No @tab Yes @tab No @tab Set up elisp passphrase cache. @item No @tab No @tab Yes @tab Set up GnuPG Agent. @item No @tab No @tab No @tab You can't, without GnuPG Agent. @end multitable To set up GnuPG Agent, follow the instruction in @ref{Invoking GPG-AGENT, , , gnupg, Using the GNU Privacy Guard}. To set up elisp passphrase cache, set @code{epa-file-cache-passphrase-for-symmetric-encryption}. @xref{Encrypting/decrypting gpg files}. @node Bug Reports @chapter Bug Reports @cindex bug reports @cindex reporting bugs Bugs and problems with EasyPG Assistant are actively worked on by the Emacs development team. Feature requests and suggestions are also more than welcome. Use @kbd{M-x report-emacs-bug}, see @ref{Bugs, , Reporting Bugs, emacs, The Emacs Editor}. When submitting a bug report, please try to describe in excruciating detail the steps required to reproduce the problem. Also try to collect necessary information to fix the bug, such as: @itemize @bullet @item the GnuPG version. Send the output of @samp{gpg --version}. @item the GnuPG configuration. Send the contents of @file{~/.gnupg/gpg.conf}. @end itemize Before reporting the bug, you should set @code{epg-debug} in the @file{~/.emacs} file and repeat the bug. Then, include the contents of the @file{ *epg-debug*} buffer. Note that the first letter of the buffer name is a whitespace. @node GNU Free Documentation License @appendix GNU Free Documentation License @include doclicense.texi @node Concept Index @unnumbered Concept Index @printindex cp @node Key Index @unnumbered Key Index @printindex ky @node Function Index @unnumbered Function Index @printindex fn @node Variable Index @unnumbered Variable Index @printindex vr @bye @c End: