Encrypted Journal Files?

[Andy L]

I'd like to encrypt my journal files.  Desired features:

- individual file encryption

- ability to check encrypted files into GitHub

- works with vim

- works with CSV import tools

- works with ledger's `import` feature

Yes I can always encrypt the whole directory...

But I prefer file-level encryption.  Is anyone doing this?  Does ledger or hledger support plugins that would allow me to embed custom file I/O?

Thanks in advance.

[Martin Michlmayr]

* Andy L <an...@r210.com> [2018-10-07 08:39]:

> But I prefer file-level encryption. Is anyone doing this? Does
> ledger or hledger support plugins that would allow me to embed
> custom file I/O?

I'm not sure about ledger/hledger but beancount supports decryption
with GnuPG out of the box.

--
Martin Michlmayr
https://www.cyrius.com/

[John Wiegley]

>>>>> "AL" == Andy L <an...@r210.com> writes:

AL> But I prefer file-level encryption.  Is anyone doing this?  Does ledger or
AL> hledger support plugins that would allow me to embed custom file I/O?

That's been on the feature list for ledger for a while (at least in my mind),
but loopback encryption is so cheap in terms of solution that it was never
worth the effort.

John

[Dániel Fancsali]

Hello,

Have a look at git-crypt, I am experimenting with that. It looks promising. Perhaps, I'll  even put together a HOWTO in the near future.

Regards,

Dan

--

---
You received this message because you are subscribed to the Google Groups "Ledger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ledger-cli+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[jungle boogie]

Thus said Andy L on Sun, 7 Oct 2018 08:39:47 -0700 (PDT)

> I'd like to encrypt my journal files. Desired features:
> - individual file encryption
> - ability to check encrypted files into GitHub
> - works with vim
> - works with CSV import tools
> - works with ledger's `import` feature
>
> Yes I can always encrypt the whole directory...
>

Scrypt can encrypt individual files without the need for all the GPG mess:
https://github.com/Tarsnap/scrypt

Of course you won't be able to open an encrypted file with vim.

[John Wiegley]

>>>>> "DF" == Dániel Fancsali <fanc...@gmail.com> writes:

DF> Have a look at git-crypt, I am experimenting with that. It looks
DF> promising. Perhaps, I'll  even put together a HOWTO in the near future.

Hey, great idea! We're using that at work to store passwords.

John

[Lifepillar]

On 07/10/2018 21:56, jungle boogie wrote:
> Thus said Andy L on Sun, 7 Oct 2018 08:39:47 -0700 (PDT)
>> I'd like to encrypt my journal files.  Desired features:
>> - individual file encryption
>> - ability to check encrypted files into GitHub
>> - works with vim
>> - works with CSV import tools
>> - works with ledger's `import` feature
>>
>> Yes I can always encrypt the whole directory...
>>
>
> Scrypt can encrypt individual files without the need for all the GPG mess:
> https://github.com/Tarsnap/scrypt
>
> Of course you won't be able to open an encrypted file with vim.

Vim supports encrypted files transparently (see `:help encryption`),
if you are happy with Blowfish. Otherwise, there are plugins for
transparently editing GPG-encrypted files.

Life.

[Andy L]

I use git-crypt and it's a nice tool.  But my desire is for the files to be encrypted on disk, not just in the git repo.  Best would be for the files to be decrypted on-demand.

Something like this.

    cat <encrypted journal file> | my_decrypt_script | ledger ...

But AFAIK this can't work with journal files that have 'include' statements.

So instead I'm doing whole-folder encryption with eCryptfs (on ubuntu...)

This works OK.  But IMO it would be better if there was an IO plugin system like beancount...

[Simon Michael]

I'd like to know how to do this too.

Committing encrypted files gives up readable history, diffs etc., but
that's the tradeoff.

My editor (Emacs) is set up to decrypt .gpg files automatically. I could
encrypt journal files and always run h/ledger from within Emacs, maybe
via some helper macros/elisp.

hledger doesn't support IO plugins. That could be nice.

But this loopback method that John mentioned is probably easier and more
command-line friendly. (I haven't researched it.)

[Yuri Khan]

On Wed, Oct 10, 2018 at 4:58 AM Simon Michael <si...@joyful.com> wrote:

> Committing encrypted files gives up readable history, diffs etc., but
> that's the tradeoff.

No, it doesn’t. The Pass[1] password manager stores passwords as
GPG-encrypted text files in a Git repository, and it registers a diff
driver for such files so you get readable diffs.

[1]: https://www.passwordstore.org/

It’s not terribly complicated either:

* The .gitattributes file in the root of repository contains the line
“*.gpg diff=gpg”.
* .git/config contains a section:

[diff "gpg"]
binary = true
textconv = gpg2 -d --quiet --yes --compress-algo=none
--no-encrypt-to --batch --use-agent

[Simon Michael]

Interesting!

[Andy L]

I wrote a script that uses `ecryptfs` to encrypt a directory of plain-text journal files. 

https://gist.github.com/andyl/36ba81e2ccd3c8ebcff8b14179d8ef09

Encrypted files are saved as individual files, such that you can use 'git diff' to see what's changed.  You can either encrypt the filenames or leave them in plain text.  Directory structure is preserved.

[Júlio Maranhão]

On Wednesday, 10 October 2018 13:31:43 UTC-3, Andy L wrote:

I wrote a script that uses `ecryptfs` to encrypt a directory of plain-text journal files. 

Why don't you use the defaults? Like: ecryptfs-{setup,mount,umount}-private

You can choose to (no-)auto (un)mount and the key is your login password (instead see -w option). Super simple. Of course you need to backup the mountkey but only one pass is used anyway. This is a local solution. No multi-remote-partners and key changes/management. Your requirements are a bit multi cases.

Why do you need local files to be encrypted?*

* X Y problem.

[Andy L]

Yeah that looks good.  I didn't know about ecryptfs-{setup,mount,umount}-private.

I've got something that works for me, and now I'm out of time to tweak.  If anyone else wants to post example scripts I will watch with interest.