How to encrypt different headings to different keys

Question

I'd like to encrypt different headings in my org file to different keys, e.g.,

* Heading 1
* Heading 2

where Heading 1 should be encrypted to me1@example.com and Heading 2 should be encrypted to me2@example.com, using gpg.

How can I do this?

Answer 1

To encrypt or decrypt the contents under headings using different keys you will need to set the CRYPTKEY property value to the uid of the desired key as listed in your key-ring.

1. Setup gpg key-ring as needed.

   For this example, let's imagine that both the public and secret keys are already setup in your key-ring.

   $ gpg --list-public-keys
   
   /home/melioratus/.gnupg/pubring.gpg
   --------------------------------
   pub   2048R/4F37FF8D 2018-11-17
   uid                  Me1 Example (Me1) <me1@example.com>
   sub   2048R/57F6928B 2018-11-17
   
   pub   2048R/9774ACC3 2018-11-17
   uid                  Me2 Example (Me2) <me2@example.com>
   sub   2048R/F5A8A9BA 2018-11-17
   
   $ gpg --list-secret-keys
   
   /home/melioratus/.gnupg/secring.gpg
   --------------------------------
   sec   2048R/4F37FF8D 2018-11-17
   uid                  Me1 Example (Me1) <me1@example.com>
   ssb   2048R/57F6928B 2018-11-17
   
   sec   2048R/9774ACC3 2018-11-17
   uid                  Me2 Example (Me2) <me2@example.com>
   ssb   2048R/F5A8A9BA 2018-11-17
   

2. Add the CRYPTKEY property under each heading with value equal to the uid of the desired key as listed in your key-ring. Also add the crypt tag to the heading.

   * Heading 1                                                           :crypt:
   :PROPERTIES:
   :CRYPTKEY: Me1 Example (Me1) <me1@example.com>
   :END:
   Heading 1 should be encrypted using the =me1@example.com= key.
   * Heading 2                                                           :crypt:
   :PROPERTIES:
   :CRYPTKEY: Me2 Example (Me2) <me2@example.com>
   :END:
   Heading 2 should be encrypted using the =me2@example.com= key.
   

3. Encrypt all the headings tagged with crypt using M-x org-encrypt-entries.

   After encryption, you should the outline should resemble the example below:

   * Heading 1                                                           :crypt:
   :PROPERTIES:
   :CRYPTKEY: Me1 Example (Me1) <me1@example.com>
   :END:
   -----BEGIN PGP MESSAGE-----
   
   hQEMA9teruFX9pKLAQf9FTEluginoTmDMkhufiZGziTCOeTbO0mGo3uVmLR8eUtf
   tmJEy3lbWJ7YHGoR/iIo/KqvglClZw9c0ZiPw3WWgMkei8gj+5g1Tcil7X+HnZYN
   XmG8Pmz5dkRidxlsUogNULnN7DbqA72Eyfuvd9gqwEqE9rtFGVB3VHtHBUHUAawO
   031DD7ou87oTPMPjQ7Z9BO14VrR2aSgbdqNttX1+zYTGpipRQ8F3ZewW1obvHEeD
   /gG+jMxYycs4SMnIPcXTPpc5r/RXb1fL4mmrbgPFkctuVBBTve7/gZsDsVqlchia
   /kQp/YQhTMKfk71naYEyHRDbCkzh+M+LJfaIMxcd7NJ5AR0U83qAsK6b6+1pDjGy
   sXukle3PeAMjBuzuF92j51RdseATNeixmL+qHeFr2btau0Wd5OGsa/4FG2GzRo9i
   VO8akmuDjfnCnP/EqefyawJPh9N/E32Bp+nz8T8iG7jRN5aGLrYJx5JWdaaQ6ScW
   PJ8o3b5AxNJyjQ==
   =NGp+
   -----END PGP MESSAGE-----
   * Heading 2                                                           :crypt:
   :PROPERTIES:
   :CRYPTKEY: Me2 Example (Me2) <me2@example.com>
   :END:
   -----BEGIN PGP MESSAGE-----
   
   hQEMA5w/LLn1qKm6AQf8DxC5CpGu/lWqQMWnKoA1XCH+PXAmJtaQCFUqQlecu7ZU
   UTPL1fb2i9uFkf3SW+eoewQ7NImp5tQqnTunoF2QA6yoc38BrodtGYPJQAIPBDUj
   nxHdGr+q1HuSn27jvs+fWHNSHWbp5ANvl4roDCm7nFAk0sf6SKOwgCAvHrQfqeq2
   5cHJIy6FlllpvWYhfWpjRwrrzRgEc8tVNQWL7RDPsKnP8DBXsIsODhjeBYYLkAHI
   iMnq1IkLTgS4LO5lwIsGcaz7VhBjlr27NhtISRyno3nvL+TsdXS7tnK4a+jE2wX/
   WeDNV3OlBz+t5BoSElfdh+S3dzyTUJpK9azMKPZxndJ5ATsmwSehDRduWG9xENDG
   G1PU8E8ye/vO3E2d3SnM0EtqmzRyQQCZXLaUjEyyRnWI5rakM+bY9MItfy055D34
   Nq0R3RFAVCay9TM3fK+hzM7fLWzApJUTVo42ezkA2pVM5qHh7GHLXnD/3ieI9Cop
   OXlZFJJbF7KHKA==
   =G7/l
   -----END PGP MESSAGE-----
   

4. To decrypt all the headings tagged with crypt use M-x org-decrypt-entries.

Thanks for asking a great question!

---

This answer was tested using:
emacs version: GNU Emacs 25.2.1 (x86_64-unknown-cygwin, GTK+ Version 3.22.10)
org-mode version: 9.1.2
gpg version: gpg (GnuPG) 1.4.21