Password security - was MyPasswordSafe converter to KeePassX available

[grg-webvisible+blu-iSp611qFfoI3uPMLIKxrzw at public.gmane.org (Gregory Galperin)]

On Sat, Dec 11, 2010 at 08:33:30PM -0500, Bill Mills-Curran wrote:
> On Fri, Dec 10, 2010 at 11:18:14PM -0500, Ryan Pugatch wrote:
> > From: Ryan Pugatch <rpug-vYTEC60ixJUAvxtiuMwx3w at public.gmane.org>
> > To: blu <discuss-mNDKBlG2WHs at public.gmane.org>
> > Date: Fri, 10 Dec 2010 23:18:14 -0500
> > Subject: Password security - was MyPasswordSafe converter to KeePassX available
> > 
> <snip>
> > 
> > This seems like a pretty neat idea.  Maybe I'm just set in my ways, but 
> > I just keep my passwords stored in a gpg encrypted file.
> > 
> > I have a Makefile which I use to easily decrypt/view/edit/encrypt and it 
> > uses bcwipe to securely erase the unencrypted version.
> 
> I also keep my (too many) passwords in a gpg encrypted file.  I
> decrypt in an xemacs shell so there's no decrypted file on disk.
> (Yes, I'm sure it exists in swap somewhere.)
> 
> Bill


I do the same kind of thing, and wrote a set of hooks to make xemacs pretend
it's a regular file and do the de/encryption behind the scenes for me.  the
ways in which it doesn't act like a normal file are:
 * you obviously have to type in your passphrase to open the file and before
   saves after the passphrase timeout
 * I turn off auto-save so unencrypted versions don't get written to disk.
   it does do version control (e.g. kept-new-versions) on the encrypted files.
 * when you save, it's a bit annoying that due to the encrypt-save-decrypt
   it moves you to the start of the file every time

this works in my xemacs but last time I tried this in emacs it didn't.  it
might need you to (require 'cl), I'm not sure.  relevant fragment from my
.emacs below in case someone else finds it useful.

--grg

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;
;;;; GPG/mailcrypt
;;;;

(ignore-errors (require 'mailcrypt)
	       ;;(require 'mailcrypt-init) ;; which of these is right?
	       (if (string< "3.4" mc-version)
		   (mc-setversion "gpg")) ; only for mc-version > 3.4
	       (autoload 'mc-install-write-mode "mailcrypt" nil t)
	       (autoload 'mc-install-read-mode "mailcrypt" nil t))
;; If you have more than one key, specify the one to use
;(setq mc-gpg-user-id "0x12345678")
;; Always sign encrypted messages
(setq mc-pgp-always-sign t)
;; Allow self to decrypt all encrypted sent messages.
(setq mc-encrypt-for-me t)
;; How long should mailcrypt remember your passphrase
(setq mc-passwd-timeout 600)
;; note: (setf mc-passwd-cache nil) to wipe the remembered passphrases now
;; TBD: should make this an easy command and/or key binding.

;; To sign automatically every message sent
;(add-hook 'message-send-hook 'my-sign-message)
;(defun my-sign-message ()
;  (if (yes-or-no-p "Sign message? ")
;      (mc-sign-message)))

;(setq mc-pgp-keyserver-address "wwwkeys.us.pgp.net"
;      mc-pgp-keyserver-port 11371
;      mc-pgp-keyserver-url-template "/pks/lookup?op=get&search=%s")


;; Mnemonic shortcut.
(defun forget-passphrase ()
  (interactive)
  (mc-deactivate-passwd))



;;;
;;; Auto-Encrypted files
;;;

;; also note there's an "mc-auto-encrypt" package available online.

;; This is the auto-encryption function to be used as a load hook:
;;	;;; Local Variables:
;;	;;; eval: (grg-auto-encrypt "grg-F9EOTng7swpUX5oH2E+m6wslLGjC9pICYKB5T7WKXak at public.gmane.org")
;;	;;; End:
;; Errors in the initial decryption (such as when loading an empty file with
;; only the above local variable) seems to prevent the hooks from being set
;; up in some xemacs versions.  Either bootstrap by loading a valid encrypted
;; file with the new name (deleting the old contents), or manually set the
;; before-save-hook, save, immediately exit, and then reload to get everything
;; set up correctly.

;; Partially stolen off the web from crs-auto-encrypt by Charles Sebold.
(defun grg-auto-encrypt (encrypt-key-email-address-string)
  ;; Create a before-save-hook (used by auto encryption functions).
  ;; Stolen verbatim off the web from Charles Sebold (csebold-Qq3zl6YTP9U at public.gmane.org).
  ;; These hooks might be useful in other functions; but if I do this at the
  ;; top level, I probably at least need to re-run the make-local-hooks here.
  (defvar before-save-hook nil)
  (make-local-hook 'before-save-hook)
  (defadvice save-buffer (before crs-before-save-run-hooks)
    "Run before-save-hook before saving."
    (run-hooks 'before-save-hook))
  (ad-activate 'save-buffer)

  (make-local-hook 'after-save-hook)

  ;; Urk -- the encrypt-decrypt combo adds a blank line before Local Variables
  ;; each time it's called... need to redefine mc-gpg-msg-end-line here?
  ;; But: it seems to work OK on xemacs 21.4.6 + mc 3.5.6.
  (make-local-variable 'mc-gpg-msg-end-line)
  (setq mc-gpg-msg-end-line "^-----END PGP MESSAGE-----\n?")
  (mc-decrypt)
  (not-modified)		; decrypting makes it appear modified; reset.
  (auto-save-mode nil)		; else we save #files# in clear text!
		; (should I try auto-save-visited-file-name? auto-save would
		; be nice as long as it leaves me at the current point.  TBD.)

  (make-local-variable 'recipient-string)
  (setq recipient-string encrypt-key-email-address-string)
  (make-local-variable 'pre-save-point)
  (add-hook 'before-save-hook
	    (lambda ()
	      (setq pre-save-point (point))
	      ;; NOTE! it's important that the recipient not be empty -- that
	      ;; saves the file in plaintext!
	      ;; I should really be looking at the return value here...
	      (mc-encrypt-generic recipient-string nil 0
				  (save-excursion
				    (end-of-buffer)
				    (re-search-backward "[L]ocal Variables:"
							nil t)
				    (beginning-of-line)
				    (point)))
	      (goto-char pre-save-point))
	    nil t)		; make hook buffer-local
  (add-hook 'after-save-hook
	    (lambda ()
	      (mc-decrypt)	; leave the buffer decrypted
	      (not-modified)	; decrypting makes it appear modified; reset.
	      (goto-char pre-save-point)) ; FIXME: why isn't this working???
	    nil t)		; make hook buffer-local
  )

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;