Here is an email I received from Milan Zamazal: ,---- | I don't know whether you are aware of this, but I consider it a serious | security problem of org-crypt.el in (at least) Emacs 23.2: | | I've found out that when I edit a (decrypted) crypt entry and the edited | file is autosaved, the autosaved file contains the given crypt entry in | plain text. So unless the user has got a special arrangement of storing | autosave files to a secure location where they are also deleted | securely, the secret content may be accessed either in the autosave file | directly, or it may be later retrieved by an off-line attacker from the | deleted file content that remained stored somewhere on the disk. | | This should be fixed or at least a big warning should be placed in | org-crypt.el. `----
I don't have time to look into this. Would someone please see if there is a way to prevent it. Off the top of my head, the only thing I can think of is disabling autosave for any org buffer that uses org-crypt. Hopefully there's an autosave hook where you can encrypt the headings and save to disk using a temporary buffer without having to alter the current buffer and interrupt the user by encrypting a heading that is being edited. -- Peter Jones - pmade inc. 303-219-0226 http://pmade.com