3.6 Encrypting and Decrypting gpg Files

By default, every file whose name ends with .gpg will be treated as encrypted. That is, when you open such a file, the decrypted text is inserted in the buffer rather than encrypted one. Similarly, when you save the buffer to a foo.gpg file, encrypted data is written.

When you save a buffer to an encrypted file for the first time, EasyPG Assistant presents you a list of keys in a buffer *Keys* where you can select recipients for encryption. See Key Management, for a description of the format of that buffer. You can streamline this recipient selection step by customizing variables epa-file-encrypt-to and epa-file-select-keys described further below in this section.

If you do not select any recipient during this step, EasyPG Assistant uses symmetric encryption. As a consequence, you have to enter the passphrase twice for every buffer save and every so often for file reads, since the GnuPG Agent caches your passphrase for file reads at least for some time, but not for buffer saves. See Caching Passphrases, for more information.

If you have created your own keypair1, you can select that as recipient, and EasyPG Assistant will use public key encryption for that file. Since GnuPG performs encryption with your public key, it does not prompt for a passphrase for the buffer save, but it will prompt for your passphrase for file reads every now and then, depending on the GnuPG Agent cache configuration.

To encrypt and decrypt files as described above EasyPG Assistant under certain circumstances uses intermediate temporary files that contain the plain-text contents of the files it processes. EasyPG Assistant creates them below the directory returned by function temporary-file-directory (see Generating Unique File Names in GNU Emacs Lisp Reference Manual). If you want to be sure not to leave any plain-text traces, use an encrypted file systems at least for that directory.

The file name pattern for encrypted files can be controlled by epa-file-name-regexp.

Variable: epa-file-name-regexp

Regexp which matches filenames treated as encrypted.

You can disable this behavior with M-x epa-file-disable, and then get it back with M-x epa-file-enable.

Command: epa-file-disable

Disable automatic encryption/decryption of *.gpg files.

Command: epa-file-enable

Enable automatic encryption/decryption of *.gpg files.

By default, epa-file will try to use symmetric encryption, aka password-based encryption. If you want to use public key encryption instead, do M-x epa-file-select-keys, which pops up the key selection dialog.

Command: epa-file-select-keys

Select recipient keys to encrypt the currently visiting file with public key encryption.

You can also change the default behavior with the variable epa-file-select-keys.

Variable: epa-file-select-keys

Control whether or not to pop up the key selection dialog.

For frequently visited files, it might be a good idea to tell Emacs which encryption method should be used through file variables (see Local Variables in Files in The Emacs Editor). Use the epa-file-encrypt-to local variable for this.

For example, if you want an Elisp file to be encrypted with a public key associated with an email address ‘ueno@unixuser.org’, add the following line to the beginning of the file.

;; -*- epa-file-encrypt-to: ("ueno@unixuser.org") -*-

Instead, if you want the file always (regardless of the value of the epa-file-select-keys variable) encrypted with symmetric encryption, change the line as follows.

;; -*- epa-file-encrypt-to: nil -*-

Other variables which control the automatic encryption/decryption behavior are below.

Variable: epa-file-cache-passphrase-for-symmetric-encryption

If non-nil, cache passphrase for symmetric encryption. The default value is nil.

For security reasons, this option is turned off by default and not recommended to be used. Instead, consider using the GnuPG Agent, which in many cases can do the same job, and does it in a safer way. See Caching Passphrases, for more information.

Variable: epa-file-inhibit-auto-save

If non-nil, disable auto-saving when opening an encrypted file. The default value is t.



For encryption and decryption of files you do not intend to share, you do not have to use an email address as recipient during creation of the keypair. You can also use some free-form string that gives information on the use of the keypair, like backup or account database.