Wikia

Vim Tips Wiki

Encryption

Talk0
1,610pages on
this wiki
Revision as of 17:43, February 26, 2013 by Fritzophrenic (Talk | contribs)

Tip 90 Printable Monobook Previous Next

created 2001 · complexity intermediate · author Erhan · version 6.0


Vim can encrypt your documents. :X prompts for an encryption key, which is stored in the key option. The file will remain unchanged until you write it.

When you reopen the file, Vim will ask for the key; if you enter the wrong key, Vim will simply open the file as-is, which will look like gibberish. The text in the swap file and the undo file is also encrypted; the text in memory is not encrypted. The viminfo file is not encrypted, and should not be used:

:set viminfo=

If you want to disable encryption, just empty the key option:

:set key=

The difference between :X and :set key=something is that :X displays asterisks as you type, so that no one can peek at your encryption key. Also, :set commands may end up in your viminfo file.

From version 7.3, Vim supports Blowfish encryption as well as a pkzip-compatible method. To choose which one to use, type one of these two before writing the file:

:setlocal cm=zip
:setlocal cm=blowfish

cm is an abbreviation for cryptmethod. Pkzip is a weak encryption method, but compatible with Vim 7.2 and older; Blowfish is strong. The help file has this to say about the pkzip method:

The algorithm used is breakable. A 4 character key in about one hour, a 6 character key in one day (on a Pentium 133 PC). This requires that you know some text that must appear in the file. An expert can break it for any key. When the text has been decrypted, this also means that the key can be revealed, and other files encrypted with the same key can be decrypted.

The blowfish method provides strong confidentiality, but no message integrity guarantees. It is known to be vulnerable to undetected modification if someone has write access to your files. If this is a concern, you should use an external program like PGP to digitally sign your file as well as encrypt it.

Some older Vim versions (older than 7.1, at least) ask only once for the password -- if you happen to mistype it, then good luck finding out what you mistyped.

Solutions with external programs

PGP

Here are some autocommands tested with pgp version 2.6.2. The pgp call for writing uses PGP's "conventional" cryptography; to use its public key cryptography, use pgp -fe userid instead.

augroup PGP
  au!
  au BufReadPost *.pgp :%!pgp -f
  au BufWritePre *.pgp :%!pgp -fc
  au BufWritePost *.pgp u
augroup END

GPG

Here is a set of autocommands that allows you to work on GPG-encrypted files as though they were ordinary text files. Be aware that Vim uses temporary files (rather than pipes) when filtering data through external programs, so the fully decrypted file will be written to disk twice:

  • Once when reading from gpg --decrypt,
  • once when writing to gpg --encrypt,
  • and perhaps another time if your OS has unencrypted swap files.

With that said, here is the code.

" Transparent editing of gpg encrypted files.
" By Wouter Hanegraaff
augroup encrypted
  au!

  " First make sure nothing is written to ~/.viminfo while editing
  " an encrypted file.
  autocmd BufReadPre,FileReadPre *.gpg set viminfo=
  " We don't want a swap file, as it writes unencrypted data to disk
  autocmd BufReadPre,FileReadPre *.gpg set noswapfile

  " Switch to binary mode to read the encrypted file
  autocmd BufReadPre,FileReadPre *.gpg set bin
  autocmd BufReadPre,FileReadPre *.gpg let ch_save = &ch|set ch=2
  " (If you use tcsh, you may need to alter this line.)
  autocmd BufReadPost,FileReadPost *.gpg '[,']!gpg --decrypt 2> /dev/null

  " Switch to normal mode for editing
  autocmd BufReadPost,FileReadPost *.gpg set nobin
  autocmd BufReadPost,FileReadPost *.gpg let &ch = ch_save|unlet ch_save
  autocmd BufReadPost,FileReadPost *.gpg execute ":doautocmd BufReadPost " . expand("%:r")

  " Convert all text to encrypted text before writing
  " (If you use tcsh, you may need to alter this line.)
  autocmd BufWritePre,FileWritePre *.gpg '[,']!gpg --default-recipient-self -ae 2>/dev/null
  " Undo the encryption so we are back in the normal text, directly
  " after the file has been written.
  autocmd BufWritePost,FileWritePost *.gpg u
augroup END

If you use tcsh as your shell, the 2>/dev/null will make your shell sad. Create a gpg.sh script which will do the stderr redirection:

#!/bin/sh
gpg "$@" 2>> .gpg.err

And then change the two lines of the lines in the .vimrc snippet from above that actually do the GPG encryption/decryption to:

autocmd BufReadPost,FileReadPost *.gpg '[,']!gpg.sh --decrypt
autocmd BufWritePre,FileWritePre *.gpg '[,']!gpg.sh --default-recipient-self -ae

=ccrypt

Here is a working autocmd set for ccrypt: note that it uses the environment variable, which can be dangerous on older multi-user systems (see man ccrypt).

On Windows you must change the $vimpass variable to $VIMPASS, since for some reason Windows doesn't like lowercase environment variables.

augroup CPT
  au!
  au BufReadPre *.cpt set bin
  au BufReadPre *.cpt set viminfo=
  au BufReadPre *.cpt set noswapfile
  au BufReadPost *.cpt let $vimpass = inputsecret("Password: ")
  au BufReadPost *.cpt silent '[,']!ccrypt -cb -E vimpass
  au BufReadPost *.cpt set nobin
  au BufWritePre *.cpt set bin
  au BufWritePre *.cpt '[,']!ccrypt -e -E vimpass
  au BufWritePost *.cpt u
  au BufWritePost *.cpt set nobin
augroup END

To create an empty .cpt file, do this:

C:\> touch test
C:\> ccrypt -e test

That will create the empty file test.cpt, which you can then open in Vim.

Comments

Advertisement | Your ad here

Around Wikia's network

Random Wiki