encrypted password vault with Vim + openssl

In a post last year, DIY Encrypted Password Vault, I showed a simple way to use OpenSSL to create encrypted text files. Since I’d need to de-crypt those files to edit them (usually with Vim) there would be an unencrypted temp file sitting around while I was editing. And using a filesystem with history meant they were around for a long time. BAD. Surely there is a better way…

Can we encrypt directly with Vim? Actually, yes…Vim has encryption built in (via the -x flag)…it works and it’s simple. Problem is that it uses ‘crypt’, which is not terribly hard to break. Also, it leaves a cleartext .tmp file around while you’re editing it. Which means it’s worthless to me for a password safe.

Enter the VIM openssl plugin. This plugin will allow you to write files with particular extensions corresponding to the type of encryption you desire (ex: ..des3 .aes .bf .bfa .idea .cast .rc2 .rc4 .rc5) and it turns off the swap file and .viminfo log, leaving no tmp files around. Excellent!  Here’s typical usage:

Edit a new file with the .bfa extension:

$ vi test.bfa

Add your secrets and save it out. It will prompt you for a password (twice) to encrypt against.

blah blah blah : secrets of the world
~
~
~
~
:wq
enter bf-cbc encryption password:
Verifying - enter bf-cbc encryption password:

You can look at the data in the file to see the encrypted content:

$ cat test.bfa
U2FsdGVkX1+TPJBn3hsJ6nzsXzDvTXOxdDk1PkWkTDFG45HIvMnZbBNIrnJubPCY
EexmfIJpZqo=

To re-open a previously encrypted file, just open it with vi. The plugin automatically recognizes the extension and prompts for your password:

"test.bfa" 2L, 78C

enter bf-cbc decryption password:

Pretty slick! You’ll need the openssl binary in your path for this to work, which is pretty standard these days. Here is a little script that I run to set this up on my various home directories:

#! /bin/sh

test -d ~/.vim || mkdir ~/.vim/
test -d ~/.vim/plugin || mkdir ~/.vim/plugin
curl "http://www.vim.org/scripts/download_script.php?src_id=8564" > ~/.vim/plugin/openssl.vim

Edit: 2010+ versions of Vim have blowfish support. Excellent, forward progress! I'm probably not going to upgrade Vim on my Mac and all my servers just for this when a plugin can work. Good to see progress but for now, this makes the most sense for me.

8 thoughts on “encrypted password vault with Vim + openssl”

  1. I like the “gnupg” vim plugin for this. Allows us to encrypt the file with the public keys of each of our sysadmins. Works quite well.

    1. Interesting. I did a little digging on that…that is probably superior, or at least an alternate scenario. Looks like I’ll need to write a follow up post. Thanks!

  2. What about vim’s swap files ? Does a copy of the unencrypted may be written to disk due to temp files or whatever ?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>