By default, every file whose name ends with .gpg will be treated as encrypted. That is, when you open such a file, the decrypted text is inserted in the buffer rather than encrypted one. Similarly, when you save the buffer to a foo.gpg file, encrypted data is written.
When you save a buffer to an encrypted file for the first time, EasyPG
Assistant presents you a list of keys in a buffer *Keys* where
you can select recipients for encryption. See Key Management, for
a description of the format of that buffer. You can streamline this
recipient selection step by customizing variables
further below in this section.
If you do not select any recipient during this step, EasyPG Assistant uses symmetric encryption. As a consequence, you have to enter the passphrase twice for every buffer save and every so often for file reads, since the GnuPG Agent caches your passphrase for file reads at least for some time, but not for buffer saves. See Caching Passphrases, for more information.
If you have created your own keypair1, you can select that as recipient, and EasyPG Assistant will use public key encryption for that file. Since GnuPG performs encryption with your public key, it does not prompt for a passphrase for the buffer save, but it will prompt for your passphrase for file reads every now and then, depending on the GnuPG Agent cache configuration.
To encrypt and decrypt files as described above EasyPG Assistant under
certain circumstances uses intermediate temporary files that contain the
plain-text contents of the files it processes. EasyPG Assistant
creates them below the directory returned by function
temporary-file-directory (see Generating Unique File Names in GNU Emacs Lisp Reference
Manual). If you want to be sure not to leave any plain-text traces,
use an encrypted file systems at least for that directory.
The file name pattern for encrypted files can be controlled by
Regexp which matches filenames treated as encrypted.
You can disable this behavior with M-x epa-file-disable, and then get it back with M-x epa-file-enable.
Disable automatic encryption/decryption of *.gpg files.
Enable automatic encryption/decryption of *.gpg files.
epa-file will try to use symmetric encryption, aka
password-based encryption. If you want to use public key encryption
instead, do M-x epa-file-select-keys, which pops up the key
Select recipient keys to encrypt the currently visiting file with public key encryption.
You can also change the default behavior with the variable
Control whether or not to pop up the key selection dialog.
For frequently visited files, it might be a good idea to tell Emacs
which encryption method should be used through file variables
(see Local Variables in Files in The Emacs
Editor). Use the
epa-file-encrypt-to local variable for this.
For example, if you want an Elisp file to be encrypted with a public key associated with an email address ‘email@example.com’, add the following line to the beginning of the file.
;; -*- epa-file-encrypt-to: ("firstname.lastname@example.org") -*-
Instead, if you want the file always (regardless of the value of the
epa-file-select-keys variable) encrypted with symmetric
encryption, change the line as follows.
;; -*- epa-file-encrypt-to: nil -*-
Other variables which control the automatic encryption/decryption behavior are below.
nil, cache passphrase for symmetric encryption. The
default value is
For security reasons, this option is turned off by default and not recommended to be used. Instead, consider using the GnuPG Agent, which in many cases can do the same job, and does it in a safer way. See Caching Passphrases, for more information.
nil, disable auto-saving when opening an encrypted file.
The default value is
For encryption and
decryption of files you do not intend to share, you do not have to use
an email address as recipient during creation of the keypair. You can
also use some free-form string that gives information on the use of
the keypair, like