[qbasic_forever]

Why not keep the notes in a VeraCrypt/TrueCrypt drive/partition? You can sidestep all the gpg complexity, and you get a little better protection since note filenames won't even be visible (and if you're really paranoid you can entirely obfuscate and hide the encrypted drive in unused partition space).

Or just tick on the full disk encryption option in your OS (assuming it's a modern one like Win 10, recent Ubuntu, etc.). It's just as good at keeping your data protected at rest as any other encryption option you can run in userspace, and there's less chance of some file operation snafu accidentally unencrypting or leaking your data.

[allarm]

> Why not keep the notes in a VeraCrypt/TrueCrypt drive/partition?

Because in this case you have to backup the whole encrypted disk, instead of syncing a couple of encrypted files. Also, setting up gpg in Emacs is very easy task. I am using selective encryption of orgmode entries with a specific tag, this case is covered in documentation.

[yjftsjthsd-h]

That is often good, but it does leave mounted volumes accessible to other programs, where GPG files can be decrypted only inside EMACS. Whether this matters depends on your threat model.

[cpach]

If you can’t trust the applications running on your system, then I’d say it’s game over.

If you need to worry about that kind of thing then you need some kind of workload isolation. One way to solve that is Qubes OS.

Here are some other FOSS alternatives: https://fly.io/blog/sandboxing-and-workload-isolation/

[philsnow]

> GPG files can be decrypted only inside EMACS

To get this you have to sacrifice the convenience of using gpg-agent, though, right? Otherwise any other program that can open your gpg agent socket can use your gpg keys.