summaryrefslogtreecommitdiff
path: root/doc/misc/epa.texi
blob: e777771cf7304bf535efa9e324cf3f111b6ce944 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
\input texinfo                  @c -*- mode: texinfo -*-
@c %**start of header
@setfilename ../../info/epa.info
@settitle EasyPG Assistant User's Manual
@include docstyle.texi
@c %**end of header

@set VERSION 1.0.0

@copying
This file describes EasyPG Assistant @value{VERSION}.

Copyright @copyright{} 2007--2021 Free Software Foundation, Inc.

@quotation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, with the Front-Cover Texts being ``A GNU Manual,''
and with the Back-Cover Texts as in (a) below.  A copy of the license
is included in the section entitled ``GNU Free Documentation License''.

(a) The FSF's Back-Cover Text is: ``You have the freedom to copy and
modify this GNU manual.''
@end quotation
@end copying

@dircategory Emacs misc features
@direntry
* EasyPG Assistant: (epa).      An Emacs user interface to GNU Privacy Guard.
@end direntry

@titlepage
@title EasyPG Assistant

@author by Daiki Ueno
@page

@vskip 0pt plus 1filll
@insertcopying
@end titlepage

@contents

@node Top
@top EasyPG Assistant user's manual

EasyPG Assistant is an Emacs user interface to GNU Privacy Guard
(GnuPG, @pxref{Top, , Top, gnupg, Using the GNU Privacy Guard}).

EasyPG Assistant is a part of the package called EasyPG, an all-in-one
GnuPG interface for Emacs.  EasyPG also contains the library interface
called EasyPG Library.

@ifnottex
@insertcopying
@end ifnottex

@menu
* Overview::
* Quick start::
* Commands::
* GnuPG version compatibility::
* Caching Passphrases::
* Bug Reports::
* GNU Free Documentation License::  The license for this documentation.
* Key Index::
* Function Index::
* Variable Index::
@end menu

@node Overview
@chapter Overview

EasyPG Assistant provides the following features.

@itemize @bullet
@item Key management.
@item Cryptographic operations on regions.
@item Cryptographic operations on files.
@item Dired integration.
@item Mail-mode integration.
@item Automatic encryption/decryption of *.gpg files.
@end itemize

@node Quick start
@chapter Quick start

EasyPG Assistant commands are prefixed by @samp{epa-}.  For example,

@itemize @bullet
@item To browse your keyring, type @kbd{M-x epa-list-keys}

@item To create a cleartext signature of the region, type @kbd{M-x epa-sign-region}

@item To encrypt a file, type @kbd{M-x epa-encrypt-file}

@item To query a key server for keys, type @kbd{M-x epa-search-keys}
@end itemize

EasyPG Assistant provides several cryptographic features which can be
integrated into other Emacs functionalities.  For example, automatic
encryption/decryption of @file{*.gpg} files.

@node Commands
@chapter Commands

This chapter introduces various commands for typical use cases.

@menu
* Key management::
* Cryptographic operations on regions::
* Cryptographic operations on files::
* Dired integration::
* Mail-mode integration::
* Encrypting/decrypting gpg files::
* Querying a key server::
@end menu

@node Key management
@section Key management
Probably the first step of using EasyPG Assistant is to browse your
keyring.  @kbd{M-x epa-list-keys} is corresponding to @samp{gpg
--list-keys} from the command line.

@deffn Command epa-list-keys name mode
Show all keys matched with @var{name} from the public keyring.
@end deffn

@noindent
The output looks as follows.

@example
  u A5B6B2D4B15813FE Daiki Ueno <ueno@@unixuser.org>
@end example

@noindent
A character on the leftmost column indicates the trust level of the
key.  If it is @samp{u}, the key is marked as ultimately trusted.  The
second column is the key ID, and the rest is the user ID.

You can move over entries by @key{TAB}.  If you type @key{RET} or
click button1 on an entry, you will see more detailed information
about the key you selected.

@example
 u Daiki Ueno <ueno@@unixuser.org>
 u A5B6B2D4B15813FE 1024bits DSA
        Created: 2001-10-09
        Expires: 2007-09-04
        Capabilities: sign certify
        Fingerprint: 8003 7CD0 0F1A 9400 03CA  50AA A5B6 B2D4 B158 13FE
 u 4447461B2A9BEA2D 2048bits ELGAMAL_E
        Created: 2001-10-09
        Expires: 2007-09-04
        Capabilities: encrypt
        Fingerprint: 9003 D76B 73B7 4A8A E588  10AF 4447 461B 2A9B EA2D
@end example

@noindent
To browse your private keyring, use @kbd{M-x epa-list-secret-keys}.

@deffn Command epa-list-secret-keys name
Show all keys matched with @var{name} from the private keyring.
@end deffn

@noindent
In @file{*Keys*} buffer, several commands are available.  The common
use case is to export some keys to a file.  To do that, type @kbd{m}
to select keys, type @kbd{o}, and then supply the filename.

Below are other commands related to key management.  Some of them take
a file as input/output, and others take the current region.

@deffn Command epa-insert-keys keys
Insert selected @var{keys} after the point.  It will let you select
keys before insertion.  By default, it will encode keys in the OpenPGP
armor format.
@end deffn

@deffn Command epa-import-keys file
Import keys from @var{file} to your keyring.
@end deffn

@deffn Command epa-import-keys-region start end
Import keys from the current region between @var{start} and @var{end}
to your keyring.
@end deffn

@deffn Command epa-import-armor-in-region start end
Import keys in the OpenPGP armor format in the current region between
@var{start} and @var{end}.  The difference from
@code{epa-import-keys-region} is that
@code{epa-import-armor-in-region} searches armors in the region and
applies @code{epa-import-keys-region} to each of them.
@end deffn

@deffn Command epa-delete-keys allow-secret
Delete selected keys.  If @var{allow-secret} is non-@code{nil}, it
also delete the secret keys.
@end deffn

@node Cryptographic operations on regions
@section Cryptographic operations on regions

@deffn Command epa-decrypt-region start end
Decrypt the current region between @var{start} and @var{end}.  It
replaces the region with the decrypted text.
@end deffn

@deffn Command epa-decrypt-armor-in-region start end
Decrypt OpenPGP armors in the current region between @var{start} and
@var{end}.  The difference from @code{epa-decrypt-region} is that
@code{epa-decrypt-armor-in-region} searches armors in the region
and applies @code{epa-decrypt-region} to each of them.  That is, this
command does not alter the original text around armors.
@end deffn

@deffn Command epa-verify-region start end
Verify the current region between @var{start} and @var{end}.  It sends
the verification result to the minibuffer or a popup window.  It
replaces the region with the signed text.
@end deffn

@deffn Command epa-verify-cleartext-in-region
Verify OpenPGP cleartext blocks in the current region between
@var{start} and @var{end}.  The difference from
@code{epa-verify-region} is that @code{epa-verify-cleartext-in-region}
searches OpenPGP cleartext blocks in the region and applies
@code{epa-verify-region} to each of them.  That is, this command does
not alter the original text around OpenPGP cleartext blocks.
@end deffn

@deffn Command epa-sign-region start end signers type
Sign the current region between @var{start} and @var{end}.  By
default, it creates a cleartext signature.  If a prefix argument is
given, it will let you select signing keys, and then a signature
type.
@end deffn

@deffn Command epa-encrypt-region start end recipients sign signers
Encrypt the current region between @var{start} and @var{end}.  It will
let you select recipients.  If a prefix argument is given, it will
also ask you whether or not to sign the text before encryption and if
you answered yes, it will let you select the signing keys.
@end deffn

@node Cryptographic operations on files
@section Cryptographic operations on files

@deffn Command epa-decrypt-file file &optional output
Decrypt @var{file}.  If you do not specify the name @var{output} to
use for the decrypted file, this function prompts for the value to use.
@end deffn

@deffn Command epa-verify-file file
Verify @var{file}.
@end deffn

@deffn Command epa-sign-file file signers type
Sign @var{file}.  If a prefix argument is given, it will let you
select signing keys, and then a signature type.
@end deffn

@deffn Command epa-encrypt-file file recipients
Encrypt @var{file}.  It will let you select recipients.
@end deffn

@node Dired integration
@section Dired integration

EasyPG Assistant extends Dired Mode for GNU Emacs to allow users to
easily do cryptographic operations on files.  For example,

@example
M-x dired
(mark some files)
: e (or M-x epa-dired-do-encrypt)
(select recipients by 'm' and click [OK])
@end example

@noindent
The following keys are assigned.

@table @kbd
@item : d
@kindex : d
@findex epa-dired-do-decrypt
Decrypt marked files.

@item : v
@kindex : v
@findex epa-dired-do-verify
Verify marked files.

@item : s
@kindex : s
@findex epa-dired-do-sign
Sign marked files.

@item : e
@kindex : e
@findex epa-dired-do-encrypt
Encrypt marked files.

@end table

@node Mail-mode integration
@section Mail-mode integration

EasyPG Assistant provides a minor mode @code{epa-mail-mode} to help
user compose inline OpenPGP messages.  Inline OpenPGP is a traditional
style of sending signed/encrypted emails by embedding raw OpenPGP
blobs inside a message body, not using modern MIME format.

NOTE: Inline OpenPGP is not recommended and you should consider to use
PGP/MIME@.  See
@uref{https://josefsson.org/inline-openpgp-considered-harmful.html,
Inline OpenPGP in E-mail is bad@comma{} Mm'kay?}.

@noindent
Once @code{epa-mail-mode} is enabled, the following keys are assigned.
You can do it by @kbd{C-u 1 M-x epa-mail-mode} or through the Customize
interface.  Try @kbd{M-x customize-variable epa-global-mail-mode}.

@table @kbd
@item C-c C-e C-d and C-c C-e d
@kindex C-c C-e C-d
@kindex C-c C-e d
@findex epa-mail-decrypt
Decrypt OpenPGP armors in the current buffer.

@item C-c C-e C-v and C-c C-e v
@kindex C-c C-e C-v
@kindex C-c C-e v
@findex epa-mail-verify
Verify OpenPGP cleartext signed messages in the current buffer.

@item C-c C-e C-s and C-c C-e s
@kindex C-c C-e C-s
@kindex C-c C-e s
@findex epa-mail-sign
Compose a signed message from the current buffer, using your default
key.  With a prefix argument, select the key to use interactively.

@item C-c C-e C-e and C-c C-e e
@kindex C-c C-e C-e
@kindex C-c C-e e
@findex epa-mail-encrypt
@vindex epa-mail-aliases
Compose an encrypted message from the current buffer.
By default it tries to build the recipient list from @samp{to},
@samp{cc}, and @samp{bcc} fields of the mail header.  To include your
key in the recipient list, use @samp{encrypt-to} option in
@file{~/.gnupg/gpg.conf}.  This function translates recipient
addresses using the @code{epa-mail-aliases} list.  You can also
use that option to ignore specific recipients for encryption purposes.

With prefix argument, asks you to select the recipients interactively,
whether to sign, and which key(s) to sign with.
@end table

@node Encrypting/decrypting gpg files
@section Encrypting/decrypting gpg files
By default, every file whose name ends with @file{.gpg} will be
treated as encrypted.  That is, when you open such a file, the
decrypted text is inserted in the buffer rather than encrypted one.
Similarly, when you save the buffer to a @file{foo.gpg} file,
encrypted data is written.

The file name pattern for encrypted files can be controlled by
@code{epa-file-name-regexp}.

@defvar epa-file-name-regexp
Regexp which matches filenames treated as encrypted.
@end defvar

You can disable this behavior with @kbd{M-x epa-file-disable}, and
then get it back with @kbd{M-x epa-file-enable}.

@deffn Command epa-file-disable
Disable automatic encryption/decryption of *.gpg files.
@end deffn

@deffn Command epa-file-enable
Enable automatic encryption/decryption of *.gpg files.
@end deffn

@noindent
By default, @code{epa-file} will try to use symmetric encryption, aka
password-based encryption.  If you want to use public key encryption
instead, do @kbd{M-x epa-file-select-keys}, which pops up the key
selection dialog.

@deffn Command epa-file-select-keys
Select recipient keys to encrypt the currently visiting file with
public key encryption.
@end deffn

You can also change the default behavior with the variable
@code{epa-file-select-keys}.

@defvar epa-file-select-keys
Control whether or not to pop up the key selection dialog.
@end defvar

For frequently visited files, it might be a good idea to tell Emacs
which encryption method should be used through @xref{File Variables, ,
, emacs, the Emacs Manual}.  Use the @code{epa-file-encrypt-to} local
variable for this.
@vindex epa-file-encrypt-to

For example, if you want an Elisp file to be encrypted with a
public key associated with an email address @samp{ueno@@unixuser.org},
add the following line to the beginning of the file.

@cartouche
@lisp
;; -*- epa-file-encrypt-to: ("ueno@@unixuser.org") -*-
@end lisp
@end cartouche

Instead, if you want the file always (regardless of the value of the
@code{epa-file-select-keys} variable) encrypted with symmetric
encryption, change the line as follows.

@cartouche
@lisp
;; -*- epa-file-encrypt-to: nil -*-
@end lisp
@end cartouche

Other variables which control the automatic encryption/decryption
behavior are below.

@defvar epa-file-cache-passphrase-for-symmetric-encryption
If non-@code{nil}, cache passphrase for symmetric encryption.  The
default value is @code{nil}.
@end defvar

@defvar epa-file-inhibit-auto-save
If non-@code{nil}, disable auto-saving when opening an encrypted file.
The default value is @code{t}.
@end defvar

@node Querying a key server
@section Querying a key server

The @code{epa-search-keys} command can be used to query a
@acronym{GPG} key server.  Emacs will then pop up a buffer that lists
the matches, and you can then fetch (and add) keys to your personal
key ring.

In the key search buffer, you can use the @kbd{f} command to mark keys
for fetching, and then @kbd{x} to fetch the keys (and incorporate them
into your key ring).

The @code{epa-keyserver} variable says which server to query.


@node GnuPG version compatibility
@chapter GnuPG version compatibility

As of February 2016, there are three active branches of GnuPG: 2.1,
2.0, and 1.4.  All those branches should work flawlessly with Emacs
with basic use-cases.  They have, however, some incompatible
characteristics, which might be visible when used from Emacs.

@itemize
@item
The key store format used by GnuPG 2.1 is incompatible with 1.4.  That
means, a key created with GnuPG 2.1 is not visible with 1.4.

@item
GnuPG 2.1 uses a fixed address for the Unix domain socket used to
communicate with gpg-agent.  The @code{GPG_AGENT_INFO} environment
variable, which is used by GnuPG 2.0 and 1.4, is ignored.  That means,
if your system has both GnuPG 2.1 and 1.4, the gpg command from GnuPG
1.4 is not able to use gpg-agent provided by 2.1 (at least out of box).

@item
GnuPG 2.1 (2.1.5 or later) has a mechanism to direct the Pinentry
password prompt to the Emacs minibuffer@footnote{To enable this
feature, add @samp{allow-emacs-pinentry} to
@file{~/.gnupg/gpg-agent.conf} and let gpg-agent reload the
configuration, with: @samp{gpgconf --reload gpg-agent}}, which would
be useful when you use Emacs remotely or from a text-only terminal.
That feature is not available in other versions, and more
specifically, with 2.0 (as of 2.0.29), there is no way to avoid the
graphical prompt.
@end itemize

@node Caching Passphrases
@chapter Caching Passphrases

Typing passphrases is a troublesome task if you frequently open and
close the same file.  GnuPG and EasyPG Assistant provide mechanisms to
remember your passphrases for a limited time.  Using these, you only
need to re-enter the passphrase occasionally.
However, the configuration is a bit
confusing since it depends on your GnuPG installation@xref{GnuPG
version compatibility}, encryption method (symmetric or public key),
and whether or not you want to use gpg-agent.  Here are some
questions:

@enumerate
@item Do you use GnuPG version 2.1 or 2.0 instead of GnuPG version 1.4?
@item Do you use symmetric encryption rather than public key encryption?
@item Do you want to use gpg-agent?
@end enumerate

Here are configurations depending on your answers:

@multitable {111} {222} {333} {configuration configuration configuration}
@item @b{1} @tab @b{2} @tab @b{3} @tab Configuration
@item Yes @tab Yes @tab Yes @tab Set up gpg-agent.
@item Yes @tab Yes @tab No @tab You can't, without gpg-agent.
@item Yes @tab No @tab Yes @tab Set up gpg-agent.
@item Yes @tab No @tab No @tab You can't, without gpg-agent.
@item No @tab Yes @tab Yes @tab Set up elisp passphrase cache.
@item No @tab Yes @tab No @tab Set up elisp passphrase cache.
@item No @tab No @tab Yes @tab Set up gpg-agent.
@item No @tab No @tab No @tab You can't, without gpg-agent.
@end multitable

To set up gpg-agent, follow the instruction in GnuPG manual.
@pxref{Invoking GPG-AGENT, , Invoking GPG-AGENT, gnupg}.

To set up elisp passphrase cache, set
@code{epa-file-cache-passphrase-for-symmetric-encryption}.
@xref{Encrypting/decrypting gpg files}.

@node Bug Reports
@chapter Bug Reports

Bugs and problems with EasyPG Assistant are actively worked on by the
Emacs development team.  Feature requests and suggestions are also
more than welcome.  Use @kbd{M-x report-emacs-bug}, @pxref{Bugs, ,
Bugs, emacs, Reporting Bugs}.

When submitting a bug report, please try to describe in excruciating
detail the steps required to reproduce the problem.  Also try to
collect necessary information to fix the bug, such as:

@itemize @bullet
@item the GnuPG version.  Send the output of @samp{gpg --version}.
@item the GnuPG configuration.  Send the contents of @file{~/.gnupg/gpg.conf}.
@end itemize

Before reporting the bug, you should set @code{epg-debug} in the
@file{~/.emacs} file and repeat the bug.  Then, include the contents
of the @file{ *epg-debug*} buffer.  Note that the first letter of the
buffer name is a whitespace.

@node GNU Free Documentation License
@appendix GNU Free Documentation License
@include doclicense.texi

@node Key Index
@unnumbered Key Index
@printindex ky

@node Function Index
@unnumbered Function Index
@printindex fn

@node Variable Index
@unnumbered Variable Index
@printindex vr

@bye

@c End: