encrypted password vault with Vim + openssl

In a post last year, DIY Encrypted Password Vault, I showed a simple way to use OpenSSL to create encrypted text files. Since I’d need to de-crypt those files to edit them (usually with Vim) there would be an unencrypted temp file sitting around while I was editing. And using a filesystem with history meant they were around for a long time. BAD. Surely there is a better way…

Can we encrypt directly with Vim? Actually, yes…Vim has encryption built in (via the -x flag)…it works and it’s simple. Problem is that it uses ‘crypt’, which is not terribly hard to break. Also, it leaves a cleartext .tmp file around while you’re editing it. Which means it’s worthless to me for a password safe.

Enter the VIM openssl plugin. This plugin will allow you to write files with particular extensions corresponding to the type of encryption you desire (ex: ..des3 .aes .bf .bfa .idea .cast .rc2 .rc4 .rc5) and it turns off the swap file and .viminfo log, leaving no tmp files around.¬†Excellent!¬† Here’s typical usage:

Edit a new file with the .bfa extension:

$ vi test.bfa

Add your secrets and save it out. It will prompt you for a password (twice) to encrypt against.

blah blah blah : secrets of the world
enter bf-cbc encryption password:
Verifying - enter bf-cbc encryption password:

You can look at the data in the file to see the encrypted content:

$ cat test.bfa

To re-open a previously encrypted file, just open it with vi. The plugin automatically recognizes the extension and prompts for your password:

"test.bfa" 2L, 78C

enter bf-cbc decryption password:

Pretty slick! You’ll need the openssl binary in your path for this to work, which is pretty standard these days. Here is a little script that I run to set this up on my various home directories:

#! /bin/sh

test -d ~/.vim || mkdir ~/.vim/
test -d ~/.vim/plugin || mkdir ~/.vim/plugin
curl "http://www.vim.org/scripts/download_script.php?src_id=8564" > ~/.vim/plugin/openssl.vim

Edit: 2010+ versions of Vim have blowfish support. Excellent, forward progress! I’m probably not going to upgrade Vim on my Mac and all my servers just for this when a plugin can work. Good to see progress but for now, this makes the most sense for me.

8 Comments on encrypted password vault with Vim + openssl

  1. Ben
    2011/02/22 at 1:40 PM

    I like the “gnupg” vim plugin for this. Allows us to encrypt the file with the public keys of each of our sysadmins. Works quite well.

    • nathan
      2011/02/22 at 1:52 PM

      Interesting. I did a little digging on that…that is probably superior, or at least an alternate scenario. Looks like I’ll need to write a follow up post. Thanks!

  2. Allan Wind
    2011/02/26 at 10:13 PM

    vim 7.3 has support for blowfish which is a strong encryption algorithm (set cryptmethod=blowfish).

  3. PiX
    2011/05/04 at 3:41 PM

    What about vim’s swap files ? Does a copy of the unencrypted may be written to disk due to temp files or whatever ?

    • nathan
      2011/05/23 at 12:55 AM

      Using the openssl plugin that I linked to, temp file creation is turned off.


3Pingbacks & Trackbacks on encrypted password vault with Vim + openssl

  1. […] This post was mentioned on Twitter by Nathan, Aleksandr Yampolskiy. Aleksandr Yampolskiy said: How to encrypt using AES or BlowFish VIM : http://bit.ly/ghyRlR […]

Leave a Reply

Your email address will not be published. Required fields are marked *