Usage: se [-flags] file[.gpg]
Where: file[.gpg] is the file to edit, .gpg indicates encrypted state
Flags: -c CLOBBER defines 'clobbering' of files to remove, options are
none (unlinking only), or
builtin (default, 3 pass overwrite, then unlink), or
CMD (external command, e.g. 'srm')
-e EDITOR defines the editor to use, default $EDITOR or
$VISUAL or vi emacs pico
-u UID defines the gpg UID to use, default $SE_UID or first
uid in 'gpg --list-secret-keys' output
-v increases verbosity
-b assumes editor is a background process, se will
detach and wait for the editor to finish
If you're interested, se can be downloaded here. Once you have it, run perldoc se for
additional information. If you want to use it, copy se to a
directory in your path, e.g., /usr/local/bin.
For completeness, here's some more information (the "perldoc" output) - though a more recent copy of se may have more up to date information...
se: SafeEdit, copyright (C) Karel Kubat / karel@kubat.nl. Distributed under GPL3 (Gnu Public License version 3); use for your own pleasure and at your own risk.
se is a fairly simple wrapper around gpg and editors. It is intended to be invoked from the commandline, instead of calling your favorite editor. It supports one argument: a file to edit (and some flags). The actions are basically:
If found, the stated file is decrypted using gpg.
An editor is invoked to edit the file.
Once the editor finishes, the file is encrypted. The plain-text version which exists on the file system (during editing) is 'clobbered' and removed.
se is useful for e.g. storing your account names and passwords in a file, or for storing any other sensitive data.
se supports the following command line:
se [flags] FILE[.gpg]
FILE is the file to edit, optinally an extension .gpg may be present (this extension is added by gpg when encrypting). se doesn't require the extension; it will check whether the file exists in encrypted or decrypted form anyway.
-b is used to indicate that the editor command is a background process (e.g., nedit, emacs in X mode). se will detach and wait for the editor to finish before encrypting.
-c CLOBBER specifies the method to 'clobber' plain text files. Possible values are:
builtin, the default: 3 passes of overwriting, followed by unlinking;
none, in which case the file is only unlinked;
Any other command, which is then executed. An example is srm, a commonly used tool.
-e EDITOR specifies the editor to use. The default is the program indicated by the environment variable $EDITOR, or $VISUAL. When both environment variables are not present, se tries vi, emacs and pico in that order.
-u UID specifies the gpg UID to use for decrypting and encrypting. When not given, se inspects variable $SE_UID and uses that value. When there is no $SE_UID, se uses the first UID that is returned by the command gpg --list-secret-keys
-v increases verbosity: se's actions are shown.
In order to use se, you will need gpg and an identity with a secret key. The identity is an e-mail address, e.g. name@domain.org. Consult the gpg documentation for further information. Make sure that your secret key is protected using a pass phrase.
Next, you can basically just run se myfile.txt and put information into myfile.txt. When you're done, a file myfile.txt.gpg will be on the file system, which is the encrypted format of your input. The encryption is done using the identity of your secret key, in this example name@domain.org.
When you start se myfile.txt again, gpg will be invoked to decrypt myfile.txt.gpg before editing. Here you have to enter your pass phrase to unlock your secret key. Again you can edit the file, and again, when done, a new encrypted version will appear.
se can of course be used for non-text files, e.g., Word documents. se doesn't know or care what type a file is, or what an editor actually is. E.g., if you have /opt/cxoffice/bin/winword (MS-Word under Crossover Office), then you can use se to secure Word documents, as in:
se -b /opt/cxoffice/bin/winword myfile.doc
which instructs se that 'winword' is a background process. This way, any 'editor' command can be used. Be sure to use the flag -b when the external command detaches after startup (such as e.g. Preview does under MacOSX, or nedit, or emacs in X-windows mode), so that se can wait for the process to finish and then re-encrypt the file.
If your gpg keyset contains more than one secret keys, then se might get confused which key to use (it will always try only the first one). In that case, you must give se a hint:
Either use flag -u name@domain.org in the invocation, or
Add export SE_UID=name@domain.org to your profile (and reload the profile), so that se may inspect this variable during the next invocation.
When se starts, then it expects the stated file to be present in either plain text format, or in encrypted format (or not at all). However, when the file is present in both formats, e.g. simultaneously file.txt and file.txt.gpg, then se will abort with an error message. You then have to choose which file you want to keep, and remove the other.
If you want to know what actions se takes, be sure to use the flag -v for increased verbosity.
The strength of the encryption will rely on two factors: gpg and your pass phrase. se doesn't know how good either are. So far, gpg appears unbreakable, so make sure that you use a good pass phrase.
The built in 'clobber' mechanism, which overwrites plain text files, seems good enough for me. For increased security, get hold of an external tool such as srm.
se is not a replacement for encrypted file systems; it is intended to be used on a per-file basis. An encrypted home directory or partition will greatly increase the security of your system incase of e.g. hardware theft.
When using the flag -w, make sure that you hit ENTER and let se re-encrypt the processed file.