Encrypt a single file and read/edit on-the-fly

I have a single text file I want to encrypt.
I can easily do so with any common software. But then, I want to be able to click on it, provide a password, and be able to read, edit, and close it. All from the GUI, which should be KDE-compatible, and possibly the editor should be Kate. Ideally, this should be available in a single KRunner call.
Alternative CLI approach are OK but should be contained in a single command/function/alias.

A possibility could be to create an encrypted folder. Then mount the folder only at access-time and unmount immediately after the closure of the text editor, all in a single CLI command. It looks a bit hackish to me tho, and I’d prefer to do the call from KRunner only.

To summarize, following the ArchWiki a bit:

  • I want to protect a single file in case my PC gets stolen. Of course professional data miners will get to it eventually, I accept that.
  • The file should be accessible (read/write access) with a passphrase on-the-fly (on-demand)
  • GUI methods are preferred but CLI methods are OK too, as long as they can be called with a .desktop file (to be accessed via KRunner)
  • I don’t have a preferred encryption method, as long as it’s decently fast, secure and open-source.
  • Structure and filenames of the encrypted folder (if this is the only way) can be transparent, as long as the content is inaccessible.
  • Any encryption method is accepted, as long as it does not take minutes to verify a key, for example
Asked By: AF7


For just one file at a time, or the very occasional file, I think a whole encrypted drive or home with EncFS/eCryptFS/dm-crypt/LUKS would be overkill (but would work excellent in case of theft).

A solution using a bash function to decrypt, edit, re-encrypt sounds more like what you’re looking for. Using gpg since it’s installed by default on almost every linux I’ve seen, and has been around for decades & should be for decades more so looks suitable for long term archives. Something like this could be put into a .bashrc file & used in a terminal, or incorporated into a file manager’s “right-click” menu should work too (I’m not familiar enough with KDE to do that, but if you are it shouldn’t be terribly difficult).

These quick little functions will take the first argument $1 as a filename to decrypt to /tmp/gpg-edit.out (can use a tmpfs/ramdisk for better security), edit with gedit (or your favourite editor), and re-encrypt the file when you’re done editing. They use a “passphrase-file” where only the first line is read & used as a passphrase, so it should be kept somewhere secure (tmpfs/ramdisk perhaps) but you could omit that & gpg would ask you for the passphrase each time.

edit-gpg() {
gpg -v --no-use-agent --passphrase-file=/path/to/keyfile --output "/tmp/gpg-edit.out" "$1" &&
gedit "/tmp/gpg-edit.out" &&
gpg -v --no-use-agent --cipher-algo AES256 --passphrase-file=/path/to/keyfile --output "$1" -c "/tmp/gpg-edit.out" &&
rm "/tmp/gpg-edit.out"

Future To-Do’s would include a check if the “/tmp/gpg-edit.out” file already exists (now gpg will ask to overwrite if it does).
Or use a random output file so you could edit multiple files at once. For now, it’s one at a time.
Omitting --no-use-agent should have it use gpg’s GUI passphrase entry box, but the last time I left out the option it would always use the GUI box and ignore the --passphrase-file option.

Another short function can initially encrypt a file with the same passphrase-file:

crypt-gpg() { 
gpg -v --no-use-agent --cipher-algo AES256 --passphrase-file=/path/to/keyfile -c "$1" &&
rm "$1"
Answered By: Xen2050

Emacs lets you edit files ending in .gpg transparently.

1) $ emacs yourfile.txt.gpg

2) Edit your file.

3) C-x C-s to save, click [OK] or C-c C-c to select symmetric encryption. Then enter and confirm your password.

4) C-x C-c to close Emacs.

The file is now encrypted. To edit it again, follow the same process as above.

Answered By: nanny
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.