Saturday, December 22, 2012

Encrypted emacs customizations

Sometimes you want to store passwords in your configuration. Several things need it, such as gnus and emacs-jabber. You don't want to have to lock down your whole initialization file, you just want to protect the settings you care about.

There is a way to do this, and it isn't too hard, at least on GNU/Linux.

What you need to do is to put your settings in a file in the ~/.emacs.d/ directory (assuming that you have this in your load path), with a .el.gpg suffix. The gpg suffix will tell emacs that this is something that needs to be encrypted with the gpg program (the program referenced in variable epg-gpg-program, defaulting to "gpg"). Whenever you save such a buffer, you need to supply a password with which to encode the file. It's kind of a pain in the ass, actually, but hopefully your settings are a write-once sort of thing.

Assuming that you can create such a file because you have gpg installed, you then need to make sure that those elisp files with gpg suffixes are loadable via require and load statements:

(add-to-list 'load-suffixes ".el.gpg")

Then it's a simple matter of requiring your file. If your file was named secure-config.el.gpg, then (require 'secure-config) will load it. Be warned: when it loads, you have to enter the password it was saved it so it can be decrypted. That means that you shouldn't just have the require statement in your initialization, otherwise you'd have to enter the password on loading emacs. Better to do something like:

(defun ash-jabber ()
  (interactive)
  (require 'secure-config)
  (jabber-connect-all))  

This makes sure that I'll be prompted for the password only when I want to use the program that requires the password. You could also instead "advise" the loading function (in this case, jabber-connect-all) if you want to avoid having an extra function.

I'd highly encourage you to use this system when dealing with passwords in your initialization files.

No comments: