Encrypted hledger with Emacs and GnuPG2016-07-18
A reasonably seamless way to work with encrypted ledger files
Both personal notes and financial documents warrant extra security measures. Emacs' EasyPG integrates seamlessly with my day-to-day emacsing, so I decided to leverage the fact. Below are some short notes on how to get things working with the least amount of hassle.
This blog entry assumes the reader has GnuPG set up on their machine.
Encrypting your text files
EasyPG has a neat way of letting you specify whose public key you'd like to encrypt a given file with. You can set elisp variables in a 'special' comment on the first line of the file:
;; -*- epa-file-encrypt-to: ("email@example.com"); -*-
When emacs reads this file from disk, it will set the buffer-local variable
epa-file-encrypt-to to your specified email address. This means that, upon
saving, EasyPG will use that public key to encrypt the file.
However, until you actually save the file to disk, and then re-read it, EasyPG will ask you to specify whose key you'd like to encrpyt the file with... Didn't we just do that via the 'magic comment'!?
There is a way around this behavior. We'll force Emacs to interpret the magic
comment by switching to
normal-mode and back.
(defun refresh-buffer () "Reload file-local variables" (interactive) (let ((v major-mode)) (normal-mode) (funcall v))) (global-set-key (kbd "<f5>") 'refresh-buffer)
Now we need to just hit
<F5> once after writing the magic comment. After
that, the file will get auto-encrypted whenever we save with
If you have a whole directory of files you'd like to encrypt (like a personal
diary), it's best to leverage emacs' 'directory
variables' feature. Just
pop a file named
.dir-locals.el in the directory, and inside it, put:
( (nil . ((epa-file-encrypt-to . ("firstname.lastname@example.org")))) )
This will tell EasyPG to encrypt all files you save in this directory with
nil in the car of the first pair stands for
"any major mode").
Decrypting your text files
This is easiest if you save all your encrypted files as
XYZ.gpg.asc, and then set the following variable:
(setq epa-file-name-regexp "\\.\\(gpg\\|\\asc\\)\\(~\\|\\.~[0-9]+~\\)?\\'") (epa-file-name-regexp-update)
Upon opening an encrypted file, Emacs (or your window manager) will pop up a modal window asking for your private key passphrase. This only has to be done once in a while, as the passphrase is cached in memory by gpg-agent for some time.
And now, the legder
This is a sample journal file from hledger's documentation:
; A sample journal file. This is a comment. 2008/01/01 income assets:bank:checking $1 income:salary $-1 2008/06/01 gift assets:bank:checking $1 income:gifts $-1
As noted above, we'll just need to furnish it with EasyPG's magic variable:
; -*- epa-file-encrypt-to: ("email@example.com"); -*- ; A sample journal file. This is a comment. 2008/01/01 income assets:bank:checking $1 income:salary $-1
<F5>, and then save the file as
it, and then verify that it's encrypted via:
$ cat ~/hledger.journal.gpg.asc -----BEGIN PGP MESSAGE----- Version: GnuPG v2 hBENO538+KYKbPGzAQf9HlZ7eFwE/V/kCwCRCzA2B1Zvut3MJONtIZ8O0bcAyRLS xfZt9wlg4v5yZtGji6SH73yzlxdz2VZRjkTb7neVIUz/ySJlrzoS+R1SPEBvBHy+ W5j/+bitbx/gqWMwCC3cn2geSY86mnKmAFdtbFeD56Zyb7sgv0KAghrKUhDUU+lc Lfl920jsryYu+VjDohJDJyuLGv9j4o62i47D4tQIwSGhFYZArLmqs6et/wKKZWIr (...)
Now, we'll tell hledger to always use this file for generating reports. I keep
a separate script named
hl, containing the following:
#!/bin/sh gpg2 --decrypt $HOME/hledger.journal.gpg.asc 2>/dev/null | hledger -f- "$@"
You can now use
hl reg expenses to feel bad about your wastefulness.