Start a new topic

How to make emacs org-crypt encryption work as smoothly as Beorg?

Hello all,
I am enjoying the encryption extension quite a lot and it seems to work quite well in Beorg. Editing entries is really, just open, touch/face-id to decrypt, make changes, and encrypt again.

On emacs, though, the flow for symmetric encryption with org-crypt is pretty clunky.

In this example, I make 1 edit to my file, with 1 for-safety save and I get to enter the encryption password  5 times!
1. Decrypt entry, enter pass
2. edit
3. save (you know, because of org-crypt, autosave is disabled, good to save occasionally)
4. enter pass
5. enter pass again (password confirmation)
6. now text is encrypted, but we didn't finish the edit -- decrypt again
7. save for good (edit now final)
8. enter pass
9. enter pass again (password confirmation)

Why does emacs/gpg request the password every time, isn't gpg-agent supposed to remember you password for a few minutes so you do less typing (or help retrieve it from keyring)? Yes, gpg-agent is supposed to do that. It seems the issue is emacs should tell gpg-agent "need pass for key-target" but instead its does "need pass for key-target for hash(text)." You change the text, so hash(text) changes and gpg-agent thinks you're enter a pass for something completely new.

Anyone know a way to make emacs play nicer, or customize what id org-crypt attaches to the text? Know a way to make emacs play as nice as Beorg?

I made some poor attempts to insert a shell script shim between emacs and actual gpg binaries, but epg finds the actual binaries (think it reads from system and .gnupg).

1 person has this question

If anyone does have an answer for this I'll add it to the FAQ section of the website.


I had the same question and have made some progress with it.
The password is now cached after the first encryption and the following accesses are made without having to enter the password.
There is a cache of one hour on my machine, see below for some options to increase this. I'm using gpg and gpg-agent on debian, i haven't configured this my mac yet but gpg2 is available so it should probably work.

Here is the config i'm using:

(require 'org-crypt)
(require 'epa-file)
(setq org-tags-exclude-from-inheritance (quote ("crypt")))
(setq org-crypt-key "")
;;this makes gpg ask gpg-agent instead of emacs
(setf epa-pinentry-mode 'ask)

Setting epa-pinentry-mode to "ask" is what made password caching work as it now asks gpg-agent instead off Emacs.

Here is some info from epg-config.el regarding this variable:

Note: This variable is obsolete since 27.1, use ‘epg-pinentry-mode’ instead.
GnuPG 2.1 or later has an option to control the behavior of  Pinentry invocation.  
The value should be the symbol ‘error’, ‘ask’, ‘cancel’, or ‘loopback’.  
See the GnuPG manual for the  meanings.


From Man gpg

--pinentry-mode mode
ask: Force the use of the Pinentry.
loopback:  Redirect  Pinentry  queries  to the caller.  


Here are some options from Man gpg-agent which can extend the time during which the key is cached:

--default-cache-ttl n
Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry’s timer is reset. To set an entry’s maximum lifetime, use max-cache-ttl. Note that a cached passphrase may not evicted immediately from memory if no client requests a cache operation. This is due to an internal housekeeping function which is only run every few seconds.

--max-cache-ttl n
Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently or has been set using gpg-preset-passphrase. The default is 2 hours (7200 seconds).

I have not tested this but these options can be set in the gpg-agent config file:

The  default  configuration  file  is named  ‘gpg-agent.conf’  and  expected in the ‘.gnupg’ directory directly below the home directory of the user.


Some more info i came across:
Overview of options for caching passphrases depending on gpg versions:

I hope this works for you.

Login or Signup to post a comment