As I’ve been mailing out invites I discovered a minor problem with my data.
My main email client is the fantastically functional mutt. It’s terminal based but incredibly flexible. When it comes to mass sorting/searching your email it leaves GUI based clients standing. However now I’m a roving around with a Google Phone the majority of my contact data is in the cloud. While I have a small address file used by mutt it only has a few oft-mailed addresses in it.
There is one wrinkle however. The configuration of the script involves putting some rather valuable login details in a plain text file on your home partition. While I like to think my machines are pretty secure and maintained you can always do more. Good security is defence in depth. A quick patch later and I can store those details in an GPG encrypted file that can be decrypted on the fly when required.
The final piece of the puzzle is creating these encrypted config files in the first place. Although you can do this by hand from the command line I find the best method is using EasyPG (now part of Emacs 23). This will automatically cause any files with a .gpg extension to be encrypted. You can control the Emacs mode selection and default encryption key to use by using file variables in the header comments of the file.
It’s not all perfect though, when enabling EasyPG I had to do the following:
(if (maybe-load-library "epa-file") (progn (setenv "GPG_AGENT_INFO" nil) ; gpg-agent confuses epa when getting passphrase (epa-file-enable)))
The problem seems to be that when GPG agent runs in terminal mode it confuses Emacs/EasyPG. By suppressing the GPG_AGENT_INFO environment variable EasyPG will fall back to requesting your passphrase in the mode line. While it takes care to flush the value as soon as possible it does open a small window of attack if an attacker can cause emacs to crash and dump core.