anticomputer / age.el Goto Github PK

Apparently epg runs temporary decryption through whatever the temporary-file-directory is set to. This is /tmp by default and that is not ideal, to say the least. This means that Emacs gpg decryptions litter the /tmp directory with plaintext copies of your gpg files (during a small window when opening or saving).

It does this with a predicatable pattern gpg-output* or gpg-input* since age.el is a port of epg functionality, it has the same weakness.

As a stopgap, age.el will run these operations through /dev/shm when and where it is available. I'll think about how we can do a buffer-only operation, since in our threat model limiting our plaintext exposure to emacs memory contents is the best we can hope for. While someone that has user privileges to monitor e.g. /dev/shm for file creations can obviously also dump memory from the emacs process, this would be a more annoying proposition than placing a filewatch and harvesting plaintext copies of decrypted files out of a temporary directory.

Making these intermediate writes at least remain memory resident as opposed to disk resident when /dev/shm is an option is a reasonable first step I reckon.

I'll note that memory contents can/will be flushed to disk in a variety of scenarios, but I don't like the idea of such a simple harvesting mechanism being available by default.

I think I should be able to just rework it such that everything runs over process stdio as opposed to intermediate plaintext files.

Hi,

would you be interested in having age.el added to one of the ELPAs?

While age discourages use of passphrase based symmetric encryption, and age.el does not intend to encourage or support symmetric passphrase based encryption for age files, we do need to support e.g. passphrase protected age identities.

Currently when trying to use a passphrase protected private ssh key as your identity from age.el you'll run into the following error:

run-hook-with-args-until-success: Opening input file: Age failed with error, failed to obtain passphrase: could not read passphrase for "/Users/anticomputer/.ssh/id_rsa": open /dev/tty: device not configured

We require a pinentry mechanism as age reads passphrases only via /dev/tty. The implication of FiloSottile/age#256 appears to be that we'll have to write a plugin, but I'd like folks to only have to depend on the age cli as a dependency for age.el, so I'll need to investigate alternatives for pinentry to age.

A workaround based on using rage instead of age is described at: https://github.com/anticomputer/age.el#known-issues

The current age.el mechanism for dealing with passphrase encrypted age files is a bit clunky and requires some custom functions and let bindings to disable the default asymmetric behaviors.

To address this we should implement a simple elisp based check for presence of the scrypt stanza as per https://github.com/C2SP/C2SP/blob/main/age.md which should be as simple as base64 decoding the file and matching on the presence of "-> scrypt" on the second line of the age v1 header.

When editing an age buffer in a TRAMP context, it decrypts fine if the file already exists, but on save will write a plaintext copy of the buffer to the remote end as opposed to the encrypted contents. I'm resolving this issue for 0.1.2.