(Uploaded by JohnBot from a locally edited file) |
JohnBeckett (talk | contribs) (Improve.) |
||
| (21 intermediate revisions by 8 users not shown) | |||
| Line 1: | Line 1: | ||
| − | {{review}} |
||
{{TipImported |
{{TipImported |
||
|id=90 |
|id=90 |
||
|previous=89 |
|previous=89 |
||
|next=91 |
|next=91 |
||
| − | |created= |
+ | |created=2001 |
|complexity=intermediate |
|complexity=intermediate |
||
|author=Erhan |
|author=Erhan |
||
| − | |version= |
+ | |version=6.0 |
|rating=142/68 |
|rating=142/68 |
||
| + | |category1= |
||
| + | |category2= |
||
}} |
}} |
||
| − | + | Vim can encrypt your documents. <code>:X</code> prompts for an encryption key, which is stored in the <code>key</code> option. The file will remain unchanged until you write it. |
|
| + | When you reopen the file, Vim will ask for the key; if you enter the wrong key, Vim will "decrypt" it to gibberish content. DO NOT SAVE such a gibberish buffer, or your data will be corrupted. While editing, the text in the swap file, undo file, and backup files are also encrypted; the text in memory is not encrypted. The viminfo file is also not encrypted, and thus should not be used: |
||
| − | After writing your key, if you save your document it will be encrypted and no one else (but you and vim) can read your documents. |
||
| + | <pre> |
||
| ⚫ | |||
| + | </pre> |
||
| − | If you |
+ | If you want to disable encryption, just empty the <code>key</code> option: |
| + | <pre> |
||
| + | :set key= |
||
| + | </pre> |
||
| + | The difference between <code>:X</code> and <code>:set key=something</code> is that <code>:X</code> displays asterisks as you type, so that no one can peek at your encryption key. Also, <code>:set</code> commands may end up in your viminfo file. |
||
| − | If you want to disable encryption, just type |
||
| + | From version 7.3, Vim supports Blowfish encryption as well as the default pkzip-compatible method. Starting at 7.4.399, a new blowfish method is available to [https://groups.google.com/d/msg/vim_dev/D8FyRd0EwlE/bkBOo-hzTzoJ fix security problems] in the original. Use one of the following to query or set the encryption method before writing the file: |
||
| ⚫ | |||
| + | <pre> |
||
| + | :setlocal cm? " show encryption method for the current file |
||
| + | :setlocal cm=zip " weak (default for backwards-compatibility) |
||
| + | :setlocal cm=blowfish " better |
||
| + | :setlocal cm=blowfish2 " best (requires Vim version 7.4.399 or higher) |
||
| + | </pre> |
||
| + | <code>cm</code> is an abbreviation for <code>cryptmethod</code>. Pkzip is a weak encryption method, but is compatible with Vim 7.2 and older; Blowfish is strong, especially using the fixed "blowfish2" method. {{help|encryption}} includes: |
||
| − | If you forget your key you will lose your document. So please DO NOT forget your key, |
||
| + | <blockquote>The algorithm used is breakable. A 4 character key in about one hour, a 6 character key in one day (on a Pentium 133 PC). This requires that you know some text that must appear in the file. An expert can break it for any key. When the text has been decrypted, this also means that the key can be revealed, and other files encrypted with the same key can be decrypted.</blockquote> |
||
| ⚫ | |||
| − | Carefull! |
||
| + | The blowfish method provides strong confidentiality, but no message integrity guarantees. It is known to be vulnerable to undetected modification if someone has write access to your files. If this is a concern, you should encrypt your file using an external program that supports cryptographically secure modification detection or integrity checks, like PGP or GPG. When using an external program, be certain to turn off options like persistent undo ({{help|'undofile'}}), backup files ({{help|'backup'}}), swap files ({{help|'swapfile'}}), and saving certain information like register contents to the .viminfo file ({{help|'viminfo'}}), to prevent that the entire file or parts of the file are available on your disk unencrypted. When using Vim's built-in encryption, Vim will encrypt supporting files as discussed above. Using external methods, Vim will not know to encrypt these files. |
||
| − | Vim asks only '''once''' for the password -- if you happen to misstype it -- then good luck finding out what you misstyped. |
||
| − | Was that fixed in newer releases? |
||
| + | Some older Vim versions (older than 7.1, at least) ask only '''once''' for the password -- if you happen to mistype it, then you might write a file which you cannot decrypt. Recent versions of Vim prompt twice for the password on encryption. However, if you use the wrong password on decryption, and then SAVE the gibberish file which results, Vim will still write the file, corrupting your data; so be careful! |
||
| − | ---- |
||
| ⚫ | |||
| − | |||
| − | pgp -fe userid |
||
| − | |||
| − | instead. |
||
| + | ==Solutions with external programs== |
||
| + | ===PGP=== |
||
| ⚫ | |||
<pre> |
<pre> |
||
augroup PGP |
augroup PGP |
||
| − | + | au! |
|
| − | + | au BufReadPost *.pgp :%!pgp -f |
|
| − | + | au BufWritePre *.pgp :%!pgp -fc |
|
| − | + | au BufWritePost *.pgp u |
|
augroup END |
augroup END |
||
</pre> |
</pre> |
||
| + | ===GPG=== |
||
| − | ---- |
||
| ⚫ | |||
| − | Be aware that Vim's encryption system is not very strong. From the help files for Vim 6.0-ar: |
||
| ⚫ | |||
| − | |||
| ⚫ | |||
| − | The algorithm used is breakable. A 4 character key in about one hour, a 6 |
||
| ⚫ | |||
| − | character key in one day (on a Pentium 133 PC). This requires that you know |
||
| − | some text that must appear in the file. An expert can break it for any key. |
||
| − | When the text has been decrypted, this also means that the key can be |
||
| − | revealed, and other files encrypted with the same key can be decrypted. |
||
| − | |||
| − | Probably will keep your files safe from most hackers, but look elsewhere (see prev. post on external programs) if your information is extremely valuable. |
||
| − | |||
| − | ---- |
||
| − | the password is asked twice in 6.0 release |
||
| − | so it becomes a little less dangerous |
||
| − | |||
| − | ---- |
||
| − | I read somewhere that .swp files ARE NOT encrypted .... Is this true ? |
||
| − | |||
| − | ---- |
||
| − | Encrypt your document with an empty password to remove the encryption. |
||
| − | |||
| − | ---- |
||
| − | Here's one i found via google. It seems to work well for me. |
||
| + | With that said, here is the code. |
||
<pre> |
<pre> |
||
" Transparent editing of gpg encrypted files. |
" Transparent editing of gpg encrypted files. |
||
" By Wouter Hanegraaff |
" By Wouter Hanegraaff |
||
augroup encrypted |
augroup encrypted |
||
| − | + | au! |
|
| − | + | " First make sure nothing is written to ~/.viminfo while editing |
|
| − | + | " an encrypted file. |
|
| − | + | autocmd BufReadPre,FileReadPre *.gpg set viminfo= |
|
| − | + | " We don't want a various options which write unencrypted data to disk |
|
| − | + | autocmd BufReadPre,FileReadPre *.gpg set noswapfile noundofile nobackup |
|
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| + | " (If you use tcsh, you may need to alter this line.) |
||
| ⚫ | |||
| − | + | autocmd BufReadPost,FileReadPost *.gpg '[,']!gpg --decrypt 2> /dev/null |
|
| + | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| + | |||
| ⚫ | |||
| + | " (If you use tcsh, you may need to alter this line.) |
||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| + | autocmd BufWritePost,FileWritePost *.gpg u |
||
augroup END |
augroup END |
||
</pre> |
</pre> |
||
| − | + | If you use tcsh as your shell, the <code>2>/dev/null</code> will make your shell sad. Create a <code>gpg.sh</code> script which will do the <code>stderr</code> redirection: |
|
| − | |||
<pre> |
<pre> |
||
| − | ---------------- |
||
#!/bin/sh |
#!/bin/sh |
||
| − | gpg "$@" 2 |
+ | gpg "$@" 2>> .gpg.err |
| − | ---------------- |
||
</pre> |
</pre> |
||
| − | And then change the two lines of the lines in the .vimrc snippet from above that actually do the GPG encryption/decryption to: |
+ | And then change the two lines of the lines in the <code>.vimrc</code> snippet from above that actually do the GPG encryption/decryption to: |
| + | <pre> |
||
| ⚫ | |||
| ⚫ | |||
| + | </pre> |
||
| + | ==ccrypt== |
||
| − | autocmd BufReadPost,FileReadPost *.gpg '[,']!gpg.sh --decrypt |
||
| ⚫ | |||
| ⚫ | |||
| − | |||
| − | And everything works great. |
||
| − | |||
| − | ---- |
||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| − | |||
| ⚫ | |||
| − | |||
| − | ---- |
||
| ⚫ | |||
| ⚫ | |||
<pre> |
<pre> |
||
augroup CPT |
augroup CPT |
||
| − | + | au! |
|
| − | + | au BufReadPre *.cpt set bin |
|
| − | + | au BufReadPre *.cpt set viminfo= |
|
| − | + | au BufReadPre *.cpt set noswapfile |
|
| − | + | au BufReadPost *.cpt let $vimpass = inputsecret("Password: ") |
|
| − | + | au BufReadPost *.cpt silent '[,']!ccrypt -cb -E vimpass |
|
| − | + | au BufReadPost *.cpt set nobin |
|
| − | + | au BufWritePre *.cpt set bin |
|
| − | + | au BufWritePre *.cpt '[,']!ccrypt -e -E vimpass |
|
| − | + | au BufWritePost *.cpt u |
|
| − | + | au BufWritePost *.cpt set nobin |
|
augroup END |
augroup END |
||
</pre> |
</pre> |
||
| + | To create an empty <code>.cpt</code> file, do this: |
||
| − | ---- |
||
| + | <pre> |
||
| − | Couple of tips if using the ccrypt script. |
||
| + | C:\> touch test |
||
| + | C:\> ccrypt -e test |
||
| + | </pre> |
||
| + | That will create the empty file <code>test.cpt</code>, which you can then open in Vim. |
||
| ⚫ | |||
| ⚫ | |||
| − | I don't know if this one is only for windows, but what I did was to 'touch test' followed by 'ccrypt -e test' and that created the file test.cpt. I was then able to open it in Vim and have it working correctly. |
||
| − | |||
| − | ---- |
||
Revision as of 05:02, 28 October 2014
created 2001 · complexity intermediate · author Erhan · version 6.0
Vim can encrypt your documents. :X prompts for an encryption key, which is stored in the key option. The file will remain unchanged until you write it.
When you reopen the file, Vim will ask for the key; if you enter the wrong key, Vim will "decrypt" it to gibberish content. DO NOT SAVE such a gibberish buffer, or your data will be corrupted. While editing, the text in the swap file, undo file, and backup files are also encrypted; the text in memory is not encrypted. The viminfo file is also not encrypted, and thus should not be used:
:set viminfo=
If you want to disable encryption, just empty the key option:
:set key=
The difference between :X and :set key=something is that :X displays asterisks as you type, so that no one can peek at your encryption key. Also, :set commands may end up in your viminfo file.
From version 7.3, Vim supports Blowfish encryption as well as the default pkzip-compatible method. Starting at 7.4.399, a new blowfish method is available to fix security problems in the original. Use one of the following to query or set the encryption method before writing the file:
:setlocal cm? " show encryption method for the current file :setlocal cm=zip " weak (default for backwards-compatibility) :setlocal cm=blowfish " better :setlocal cm=blowfish2 " best (requires Vim version 7.4.399 or higher)
cm is an abbreviation for cryptmethod. Pkzip is a weak encryption method, but is compatible with Vim 7.2 and older; Blowfish is strong, especially using the fixed "blowfish2" method. :help encryption includes:
The algorithm used is breakable. A 4 character key in about one hour, a 6 character key in one day (on a Pentium 133 PC). This requires that you know some text that must appear in the file. An expert can break it for any key. When the text has been decrypted, this also means that the key can be revealed, and other files encrypted with the same key can be decrypted.
The blowfish method provides strong confidentiality, but no message integrity guarantees. It is known to be vulnerable to undetected modification if someone has write access to your files. If this is a concern, you should encrypt your file using an external program that supports cryptographically secure modification detection or integrity checks, like PGP or GPG. When using an external program, be certain to turn off options like persistent undo (:help 'undofile'), backup files (:help 'backup'), swap files (:help 'swapfile'), and saving certain information like register contents to the .viminfo file (:help 'viminfo'), to prevent that the entire file or parts of the file are available on your disk unencrypted. When using Vim's built-in encryption, Vim will encrypt supporting files as discussed above. Using external methods, Vim will not know to encrypt these files.
Some older Vim versions (older than 7.1, at least) ask only once for the password -- if you happen to mistype it, then you might write a file which you cannot decrypt. Recent versions of Vim prompt twice for the password on encryption. However, if you use the wrong password on decryption, and then SAVE the gibberish file which results, Vim will still write the file, corrupting your data; so be careful!
Solutions with external programs
PGP
Here are some autocommands tested with pgp version 2.6.2. The pgp call for writing uses PGP's "conventional" cryptography; to use its public key cryptography, use pgp -fe userid instead.
augroup PGP au! au BufReadPost *.pgp :%!pgp -f au BufWritePre *.pgp :%!pgp -fc au BufWritePost *.pgp u augroup END
GPG
Here is a set of autocommands that allows you to work on GPG-encrypted files as though they were ordinary text files. Be aware that Vim uses temporary files (rather than pipes) when filtering data through external programs, so the fully decrypted file will be written to disk twice:
- Once when reading from
gpg --decrypt, - once when writing to
gpg --encrypt, - and perhaps another time if your OS has unencrypted swap files.
With that said, here is the code.
" Transparent editing of gpg encrypted files.
" By Wouter Hanegraaff
augroup encrypted
au!
" First make sure nothing is written to ~/.viminfo while editing
" an encrypted file.
autocmd BufReadPre,FileReadPre *.gpg set viminfo=
" We don't want a various options which write unencrypted data to disk
autocmd BufReadPre,FileReadPre *.gpg set noswapfile noundofile nobackup
" Switch to binary mode to read the encrypted file
autocmd BufReadPre,FileReadPre *.gpg set bin
autocmd BufReadPre,FileReadPre *.gpg let ch_save = &ch|set ch=2
" (If you use tcsh, you may need to alter this line.)
autocmd BufReadPost,FileReadPost *.gpg '[,']!gpg --decrypt 2> /dev/null
" Switch to normal mode for editing
autocmd BufReadPost,FileReadPost *.gpg set nobin
autocmd BufReadPost,FileReadPost *.gpg let &ch = ch_save|unlet ch_save
autocmd BufReadPost,FileReadPost *.gpg execute ":doautocmd BufReadPost " . expand("%:r")
" Convert all text to encrypted text before writing
" (If you use tcsh, you may need to alter this line.)
autocmd BufWritePre,FileWritePre *.gpg '[,']!gpg --default-recipient-self -ae 2>/dev/null
" Undo the encryption so we are back in the normal text, directly
" after the file has been written.
autocmd BufWritePost,FileWritePost *.gpg u
augroup END
If you use tcsh as your shell, the 2>/dev/null will make your shell sad. Create a gpg.sh script which will do the stderr redirection:
#!/bin/sh gpg "$@" 2>> .gpg.err
And then change the two lines of the lines in the .vimrc snippet from above that actually do the GPG encryption/decryption to:
autocmd BufReadPost,FileReadPost *.gpg '[,']!gpg.sh --decrypt autocmd BufWritePre,FileWritePre *.gpg '[,']!gpg.sh --default-recipient-self -ae
ccrypt
Here is a working autocmd set for ccrypt: note that it uses the environment variable, which can be dangerous on older multi-user systems (see man ccrypt).
On Windows you must change the $vimpass variable to $VIMPASS, since for some reason Windows doesn't like lowercase environment variables.
augroup CPT
au!
au BufReadPre *.cpt set bin
au BufReadPre *.cpt set viminfo=
au BufReadPre *.cpt set noswapfile
au BufReadPost *.cpt let $vimpass = inputsecret("Password: ")
au BufReadPost *.cpt silent '[,']!ccrypt -cb -E vimpass
au BufReadPost *.cpt set nobin
au BufWritePre *.cpt set bin
au BufWritePre *.cpt '[,']!ccrypt -e -E vimpass
au BufWritePost *.cpt u
au BufWritePost *.cpt set nobin
augroup END
To create an empty .cpt file, do this:
C:\> touch test C:\> ccrypt -e test
That will create the empty file test.cpt, which you can then open in Vim.