16.16 Org Crypt

Org Crypt encrypts the text of an entry, but not the headline, or properties. Behind the scene, it uses the Emacs EasyPG library to encrypt and decrypt files.

Any text below a headline that has a ‘crypt’ tag is automatically encrypted when the file is saved. To use a different tag, customize the org-crypt-tag-matcher setting.

Here is a suggestion for Org Crypt settings in Emacs init file:

(require 'org-crypt)
(org-crypt-use-before-save-magic)
(setq org-tags-exclude-from-inheritance '("crypt"))

(setq org-crypt-key nil)
;; GPG key to use for encryption
;; Either the Key ID or set to nil to use symmetric encryption.

(setq auto-save-default nil)
;; Auto-saving does not cooperate with org-crypt.el: so you need to
;; turn it off if you plan to use org-crypt.el quite often.  Otherwise,
;; you'll get an (annoying) message each time you start Org.

;; To turn it off only locally, you can insert this:
;;
;; # -*- buffer-auto-save-file-name: nil; -*-

It’s possible to use different keys for different headings by specifying the respective key as property ‘CRYPTKEY’, e.g.:

* Totally secret :crypt:
  :PROPERTIES:
  :CRYPTKEY: 0x0123456789012345678901234567890123456789
  :END:

Excluding the ‘crypt’ tag from inheritance prevents already encrypted text from being encrypted again.