created 2001 · complexity intermediate · author Erhan · version 6.0
Vim can encrypt your documents.
:X prompts for an encryption key, which is stored in the
key option. The file will remain unchanged until you write it.
When you reopen the file, Vim will ask for the key; if you enter the wrong key, Vim will simply open the file as-is, which will look like gibberish. The text in the swap file and the undo file is also encrypted; the text in memory is not encrypted. The viminfo file is not encrypted, and should not be used:
If you want to disable encryption, just empty the
The difference between
:set key=something is that
:X displays asterisks as you type, so that no one can peek at your encryption key. Also,
:set commands may end up in your viminfo file.
From version 7.3, Vim supports Blowfish encryption as well as a pkzip-compatible method. To choose which one to use, type one of these two before writing the file:
:setlocal cm=zip :setlocal cm=blowfish
cm is an abbreviation for
cryptmethod. Pkzip is a weak encryption method, but compatible with Vim 7.2 and older; Blowfish is strong. The help file has this to say about the pkzip method:
The algorithm used is breakable. A 4 character key in about one hour, a 6 character key in one day (on a Pentium 133 PC). This requires that you know some text that must appear in the file. An expert can break it for any key. When the text has been decrypted, this also means that the key can be revealed, and other files encrypted with the same key can be decrypted.
The blowfish method provides strong confidentiality, but no message integrity guarantees. It is known to be vulnerable to undetected modification if someone has write access to your files. If this is a concern, you should use an external program like PGP to digitally sign your file as well as encrypt it.
Some older Vim versions (older than 7.1, at least) ask only once for the password -- if you happen to mistype it, then good luck finding out what you mistyped.
Solutions with external programs
Here are some autocommands tested with pgp version 2.6.2. The pgp call for writing uses PGP's "conventional" cryptography; to use its public key cryptography, use
pgp -fe userid instead.
augroup PGP au! au BufReadPost *.pgp :%!pgp -f au BufWritePre *.pgp :%!pgp -fc au BufWritePost *.pgp u augroup END
Here is a set of autocommands that allows you to work on GPG-encrypted files as though they were ordinary text files. Be aware that Vim uses temporary files (rather than pipes) when filtering data through external programs, so the fully decrypted file will be written to disk twice:
- Once when reading from
- once when writing to
- and perhaps another time if your OS has unencrypted swap files.
With that said, here is the code.
" Transparent editing of gpg encrypted files. " By Wouter Hanegraaff augroup encrypted au! " First make sure nothing is written to ~/.viminfo while editing " an encrypted file. autocmd BufReadPre,FileReadPre *.gpg set viminfo= " We don't want a swap file, as it writes unencrypted data to disk autocmd BufReadPre,FileReadPre *.gpg set noswapfile " Switch to binary mode to read the encrypted file autocmd BufReadPre,FileReadPre *.gpg set bin autocmd BufReadPre,FileReadPre *.gpg let ch_save = &ch|set ch=2 " (If you use tcsh, you may need to alter this line.) autocmd BufReadPost,FileReadPost *.gpg '[,']!gpg --decrypt 2> /dev/null " Switch to normal mode for editing autocmd BufReadPost,FileReadPost *.gpg set nobin autocmd BufReadPost,FileReadPost *.gpg let &ch = ch_save|unlet ch_save autocmd BufReadPost,FileReadPost *.gpg execute ":doautocmd BufReadPost " . expand("%:r") " Convert all text to encrypted text before writing " (If you use tcsh, you may need to alter this line.) autocmd BufWritePre,FileWritePre *.gpg '[,']!gpg --default-recipient-self -ae 2>/dev/null " Undo the encryption so we are back in the normal text, directly " after the file has been written. autocmd BufWritePost,FileWritePost *.gpg u augroup END
If you use tcsh as your shell, the
2>/dev/null will make your shell sad. Create a
gpg.sh script which will do the
#!/bin/sh gpg "$@" 2>> .gpg.err
And then change the two lines of the lines in the
.vimrc snippet from above that actually do the GPG encryption/decryption to:
autocmd BufReadPost,FileReadPost *.gpg '[,']!gpg.sh --decrypt autocmd BufWritePre,FileWritePre *.gpg '[,']!gpg.sh --default-recipient-self -ae
Here is a working autocmd set for ccrypt: note that it uses the environment variable, which can be dangerous on older multi-user systems (see
On Windows you must change the
$vimpass variable to
$VIMPASS, since for some reason Windows doesn't like lowercase environment variables.
augroup CPT au! au BufReadPre *.cpt set bin au BufReadPre *.cpt set viminfo= au BufReadPre *.cpt set noswapfile au BufReadPost *.cpt let $vimpass = inputsecret("Password: ") au BufReadPost *.cpt silent '[,']!ccrypt -cb -E vimpass au BufReadPost *.cpt set nobin au BufWritePre *.cpt set bin au BufWritePre *.cpt '[,']!ccrypt -e -E vimpass au BufWritePost *.cpt u au BufWritePost *.cpt set nobin augroup END
To create an empty
.cpt file, do this:
C:\> touch test C:\> ccrypt -e test
That will create the empty file
test.cpt, which you can then open in Vim.