Secure GPG In Emacs, Featuring Agent Smith
Oh, no. More GPG in Emacs? I’ll try to keep it short.
One day I was pondering upon my opsec (“operational security”) when I realized something. Any Emacs buffers I had opened with
epa’s transparent decryption would stay open, indefinitely.
Moreover, the password I had used during decryption would stay encached by
gpg-agent for ten minutes (the default). If someone were to usurp my computer while a
.gpg buffer was open, he could not only read it, but view all of my encrypted files.
Paranoid? Yes. Excessively paranoid? Yes.
Killing GPG Buffers
Step one is to make sure GPG buffers don’t stay open too long. Put the following code somewhere in your init:
If Emacs doesn’t receive input for 60 seconds your GPG buffers get saved and killed. This time frame is configurable and should factor in the sensitivity of your files and what you personally feel comfortable with.
This code will run even if your computer is locked, at least on OSX. If you unlock your computer and someone happens to be peeping over your shoulder, you’re good.
Everyone has their own mental model for
gpg-agent. I like to picture Agent Smith: the guy that nobody likes from the old 90’s movie
The Memento. Smug and annoying, his only goal is to ruin your life.
If you’re using GPG2, you’re using
gpg-agent. There’s nothing you can do about it: GPG2 launches it automatically. You can kill it with a cron job, but I did something a bit different. I snuck this line into the big code block above:
This makes sure that the cache is cleared when Emacs is idle, but not while you’re actively working in it.
You may also want to set some of the relevant cache expiry options in
~/.gnupg/gpg-agent.conf. You can set them to a few minutes, or zero to disable caching altogether. For example:
That’s about it. GPG and Emacs’
epa are software disasters, but we had to take a couple minutes to revisit them here.