Wednesday, February 2, 2011

Securing your private email credentials using Gnus and EPA/EPG

(first draft)

Securing Your Gnus Information. rgr Feb 1st, 2010.

Possibly you wish your gnus email/nntp access configuration to remain
"secretive". This can be a problem when its more and more popular to use
online repos for inter machine sync (e.g using github to hold your emacs
config files). It can be easy to accidentally open the repo or make a
mistake with the file permissions. Or you might even lose your laptop!
Emacs integration with Epa/gnupgp make securing this a doddle. The more
traditional .authinfo file used to mean storing your password in
plaintext : something many people dont like to do. One option is to
merely resave the .authinfo as .authinfo.gpg. emacs/Gnupg will prompt
you for a signing key and away you go. epa/epg usage is covered
elsewhere in the emacs manual. Dont forget to remove the original
.authinfo.. Configure your auth-sources and Emacs will detect the .gpg
as a default if it exists. The usage and format of authinfo is discussed
in the emacs/gnus manuals. My setting is

(setq auth-sources (quote ((:source "/home/me/.emacs.d/.authinfo.gpg"
:host t :protocol t))))

We can extend this to storing the more secretive part of your Gnus
online life (and any other emacs subset) in a .gpg file.

Lets create a file "my-config.gpg". Line 1 tells emacs which key to use
and that it contains elisp :-

;; -*- mode:emacs-lisp -*- epa-file-encrypt-to: ("86E37324********") -*-

In it you can store private information such as a your erc password and gnus posting styles maybe:-

(setq erc-password "123456")

(add-to-list `gnus-posting-styles `( ,(rx(or "INBOX.trolling" ""))
(from "Tommy <>")
(name "Tommy Troll"))t)

(add-to-list `gnus-posting-styles `(,(rx(or "serious"))
(name "Serious")(address "")
(from "Simon Serious<>")
(eval (setq mml2015-signers '("12349876")))
(organization "")

(signature-file "~/.emacs.d/.sigs/serious.sig")) t)
(provide 'my-config)

The loading of this file would cause emacs or the system to prompt you
for a password to decrypt the file if the agent (gpg-agent) or emacs
hasnt already cached the password for that key. This prompt can be an
issue if you're using the emacs daemon especially if starting the
process at system login. When to prompt? One nice way is to only load
the gpg file when you create an emacs frame. e.g

(defun load-secure-config(frame)
(require 'my-config "my-config.gpg"))

(add-hook 'after-make-frame-functions 'load-secure-config)

Here we see that the private configuration information is only loaded and
decrypted when you actually bring up an emacs frame - generally that
would be sufficient in the case of gnus.

My Emacs Files At GitHub

No comments:

Post a Comment