orgro icon indicating copy to clipboard operation
orgro copied to clipboard

Published 20 hours ago verified publisher icon amake

Support encryption

Open psamim opened this issue 3 years ago • 9 comments

Hi,

As an enhancement, it would be great if Orgro could support opening encrypted files, or encrypted headings, with the help of OpenKeyChain. Just like Emacs and org-mode.

psamim avatar Mar 02 '21 05:03 psamim

It looks like OpenKeychain is Android-only.

As a general principle Orgro is cross-platform and I won't be adding any single-platform features. So I would need to find an equivalent implementation for iOS or, better yet, in Dart.

amake avatar Mar 02 '21 06:03 amake

I don't know dart, but this looks like an actively maintained library that does encryption and here's a gist with a reference implementation.

chrstfer avatar Apr 28 '21 09:04 chrstfer

I take it that this request is to support the whole-file and per-section use cases described here:

  • https://orgmode.org/worg/org-tutorials/encrypting-files.html
  • https://orgmode.org/manual/Org-Crypt.html

pointycastle looks too low-level. Something more like openpgp or encrypt looks like the right thing.

I would also need to create a GUI for managing private keys.

amake avatar May 04 '21 08:05 amake

Support for decrypting and reencrypting Org Crypt-style symmetrically encrypted sections will be available for testing in v1.36.0 soon:

amake avatar Dec 27 '23 14:12 amake

Support for symmetrically encrypted sections is now available on all platforms in v1.36.1.

I'm debating whether it's worthwhile to support asymmetric encryption and full-file encryption.

amake avatar Jan 04 '24 14:01 amake

I'm leaning toward not bothering with full-file encryption. I started a poll about symmetric vs. asymmetric: https://mastodon.social/@amake/111700198262236731

amake avatar Jan 04 '24 23:01 amake

From discussion on Mastodon I understood that using OpenKeychain would have important advantages:

  • I don't have to worry about securely storing the private keys because OpenKeychain handles that for me
  • It also apparently supports NFC cards (like Yubikeys?)

Those are nice advantages, but there are some significant issues:

  • OpenKeychain is not under active development and seems essentially abandoned
  • It is not compatible with Android 14 https://github.com/open-keychain/open-keychain/issues/2836
  • Supposedly there are unaddressed vulnerabilities https://github.com/open-keychain/open-keychain/issues/2856
  • It appears that you communicate with OpenKeychain via intents, so I assume any encryption/decryption would have to be done async. Ideally I want to do things synchronously.
  • The lack of an equivalent for iOS is a deal-breaker for Orgro

amake avatar Jan 08 '24 00:01 amake

iPGMail offers an API for usage similar to OpenKeychain's intents: https://ipgmail.com/developers/

amake avatar Jan 09 '24 10:01 amake

The OpenKeychain API appears to be this: https://github.com/open-keychain/openpgp-api

amake avatar Jan 09 '24 10:01 amake