Off The Grid
   Simple listserv
   xml tools
Karel as an adult


Here's another oldie-goldie. se, shorthand for SafeEdit, is a small Perl script that wraps my gpg and editor. It allows me to store sensitive information in files, such as URL's and passwords. But the file isn't in plain text on the disk - it's of course encrypted using gpg. When I want to look up something, I run se again to decrypt the file, edit it, and re-encrypt it. Aaah.. cheers to Unixy systems with their building block approach, which enable us to chain utilities into larger apps.

There are lots of utilities around to store passwords for you. But this one is different. It doesn't know or care what type of file is processed. It doesn't 'force' some format onto you - most basically you just use an editor and a textfile as a notepad. Alternatively, you can instruct se to use a specific program as 'editor'; e.g., OpenOffice Writer, enabling you to handle encrypted wordprocessor documents. You can even instruct se to use an image viewer as the 'editor', so that you can safely handle images of e.g. your passport or drivers license.

Here's se's "usage" information.

Usage: se [-flags] file[.gpg]
Where:  file[.gpg]      is the file to edit, .gpg indicates encrypted state
Flags:  -c CLOBBER      defines 'clobbering' of files to remove, options are
                        none (unlinking only), or
                        builtin (default, 3 pass overwrite, then unlink), or
                        CMD (external command, e.g. 'srm')
        -e EDITOR       defines the editor to use, default $EDITOR or
                        $VISUAL or vi emacs pico
        -u UID          defines the gpg UID to use, default $SE_UID or first
                        uid in 'gpg --list-secret-keys' output
        -v              increases verbosity
        -b              assumes editor is a background process, se will
                        detach and wait for the editor to finish
If you're interested, se can be downloaded here. Once you have it, run perldoc se for additional information. If you want to use it, copy se to a directory in your path, e.g., /usr/local/bin.

For completeness, here's some more information (the "perldoc" output) - though a more recent copy of se may have more up to date information...

se: Safe Editing wrapper

se: SafeEdit, copyright (C) Karel Kubat / Distributed under GPL3 (Gnu Public License version 3); use for your own pleasure and at your own risk.


se is a fairly simple wrapper around gpg and editors. It is intended to be invoked from the commandline, instead of calling your favorite editor. It supports one argument: a file to edit (and some flags). The actions are basically:

se is useful for e.g. storing your account names and passwords in a file, or for storing any other sensitive data.

Command line invocation

se supports the following command line:

 se [flags] FILE[.gpg]

Using se

In order to use se, you will need gpg and an identity with a secret key. The identity is an e-mail address, e.g. Consult the gpg documentation for further information. Make sure that your secret key is protected using a pass phrase.

Next, you can basically just run se myfile.txt and put information into myfile.txt. When you're done, a file myfile.txt.gpg will be on the file system, which is the encrypted format of your input. The encryption is done using the identity of your secret key, in this example

When you start se myfile.txt again, gpg will be invoked to decrypt myfile.txt.gpg before editing. Here you have to enter your pass phrase to unlock your secret key. Again you can edit the file, and again, when done, a new encrypted version will appear.

se can of course be used for non-text files, e.g., Word documents. se doesn't know or care what type a file is, or what an editor actually is. E.g., if you have /opt/cxoffice/bin/winword (MS-Word under Crossover Office), then you can use se to secure Word documents, as in:

 se -b /opt/cxoffice/bin/winword myfile.doc

which instructs se that 'winword' is a background process. This way, any 'editor' command can be used. Be sure to use the flag -b when the external command detaches after startup (such as e.g. Preview does under MacOSX, or nedit, or emacs in X-windows mode), so that se can wait for the process to finish and then re-encrypt the file.


If your gpg keyset contains more than one secret keys, then se might get confused which key to use (it will always try only the first one). In that case, you must give se a hint:

When se starts, then it expects the stated file to be present in either plain text format, or in encrypted format (or not at all). However, when the file is present in both formats, e.g. simultaneously file.txt and file.txt.gpg, then se will abort with an error message. You then have to choose which file you want to keep, and remove the other.

If you want to know what actions se takes, be sure to use the flag -v for increased verbosity.

Security-related Remarks

The strength of the encryption will rely on two factors: gpg and your pass phrase. se doesn't know how good either are. So far, gpg appears unbreakable, so make sure that you use a good pass phrase.

The built in 'clobber' mechanism, which overwrites plain text files, seems good enough for me. For increased security, get hold of an external tool such as srm.

se is not a replacement for encrypted file systems; it is intended to be used on a per-file basis. An encrypted home directory or partition will greatly increase the security of your system incase of e.g. hardware theft.

When using the flag -w, make sure that you hit ENTER and let se re-encrypt the processed file.