Re: Guns and Privacy : sample use case/tutorial effort

[Richard Riley <rileyrg@googlemail.com>]

Philipp Haselwarter <philipp.haselwarter@gmx.de> writes:

> Richard Riley <rileyrg@googlemail.com> writes:
>
>> Philipp Haselwarter <philipp.haselwarter@gmx.de> writes:
>>
>>> Richard Riley <rileyrg@googlemail.com> writes:
>>>
>>> ---8<---[snipped 61 lines]---8<---
>>>>
>>>> The loading of this file would cause emacs or the system to prompt you
>>>> for a password to decrypt the file if the agent (gpg-agent) or emacs
>>>> hasnt already cached the password for that key. This prompt can be an
>>>> issue if you're using the emacs daemon especially if starting the
>>>> process at system login. When to prompt? One nice way is to only load
>>>> the gpg file when you create an emacs frame. e.g
>>>>
>>>> ,----
>>>> |    (defun load-secure-config(frame)
>>>> |      (require 'my-config "my-config.gpg"))
>>>> | 
>>>> |    (add-hook 'after-make-frame-functions 'load-secure-config)
>>>> `----
>>>>
>>>> Here we see that the private configuration information is only loaded and
>>>> decrypted when you actually bring up an emacs frame - generally that
>>>> would be sufficient in the case of gnus.
>>>
>>> Just wondering, how does this prevent emacs from prompting when there's
>>> no frame?
>>
>> This is aimed at the initial load : it only loads after the initial
>> frame. It then assumes that the password is cached. Clearly if the
>> password is then needed again (cache expiry)  in something involving gnus then there is
>> generally a frame available anyway.
>>
>
> But this opens the encrypted file for any emacs instance that creates a
> frame, even if you don't want to use gnus at all. Which is not very much
> in the spirit of securing your personal data.

Clearly if you dont want to load it earlier then you do this on a more
limited hook. some sort of "gnus start hook" or somesuch

This is not just for Gnus, Hence I included an erc-password example. I
will clarify that (but I'm not a big fan of the emacs wiki approach
tbh). My .gpg file contains senstive passwords for other apps and, in
addition, org data too.

I dont feel its much of a security leak opening it earlier rather than
later when used in conjunction with the gpg-agent. The file is still a
gpg encrypted file. But yes someone could open it in emacs and save it
as plain text in that session at that keyboard.

>
>>>
>>> I used to start emacs-daemon on system start, and ran into this problem,
>>> but that was in conjunction with desktop.el. Opening pdf's asks if you
>>
>>
>> I stopped using desktop.el for related reasons.
>>
> I just use `emacsclient -a="" -nw' (aliased) as editor now, the prevents
> starting emacs unnecessarily (okay, I rarely don't have emacs open) and
> is Really Simple to set up. No problems since.

I use this set up but in conjunction with an xmonad scratchpad toggle. I
documented the technique yonks ago when the daemon start methods
improved:-

http://splash-of-open-sauce.blogspot.com/2010/10/emacs-23-emacs-daemon-and-emacsclient_7756.html

The daemon is pretty damn cool ;)

I also used -nw for a while but it clashed with function keys and what
have too often so I reverted back to the gtk version. termcap beats Gnus
splitting for making my brain melt.

>
> Another desktop.el-related PITA is when files that have auto-save data
> around are restored (user gets queried too), haven't found a way around
> that yet..

-- 
☘ http://www.shamrockirishbar.com, http://splash-of-open-sauce.blogspot.com/ http://www.richardriley.net