Security

Vim offers strong file encryption with Blowfish

Support for stronger encryption was added to Vim in 2010, making it actually useful for file encryption.

2010 saw the release of version 7.3 of the Vim text processing editor. Vim was originally written by Brian Moolenaar in 1991. While it has not been around nearly as long as Berkeley vi -- the model on which Vim was based -- it is a venerable mainstay of many developers' toolkits.

Vim has offered built-in support for file encryption for a long time, as long as it is built with the cryptv compilation option. This made working with encrypted files incredibly easy and transparent -- almost entirely unnoticeable, in fact. Unfortunately, Vim file encryption suffered one major problem: it used PkZip compatible encryption, which is not the strongest encryption available.

As of Vim version 7.3, the editor now supports Blowfish encryption. Bruce Schneier created the Blowfish cipher to fill the need for a replacement for the aging and increasingly vulnerable DES cipher, releasing it in 1993 and declaring that he would never subject it to restrictions on use and implementation:

Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone.

No truly effective cryptanalysis of the Blowfish cipher has been confirmed to date, a good sign after longer than seventeen years of heavy testing and use. It is one of the strongest ciphers available to the general public and, unlike ciphers that have been developed in part by the NSA, there is little reason to fear that it is subject to any intentionally included "backdoor" vulnerabilities.

To determine whether the Vim package you have installed on your OS of choice has been built with the cryptv option, enter the vim --version command at a shell prompt. If the string +cryptv appears in the output under "Features included (+) or not(-):", your Vim binary has been built with support for file encryption. If your Vim version is 7.3 or later, it should use Blowfish encryption.

On a typical Unix-like system, you may want to filter for the +cryptv string:

vim --version | grep +cryptv

The result, using the grep utility, should look something like this:

+conceal +cryptv +cscope +cursorbind +cursorshape +dialog_con_gui +diff

Assuming it has been built with file encryption support, working with file encryption in Vim is so easy as to be nearly second nature to a habitual Vim user. To open a plain text file or create a new one, you might normally enter a command at the shell like this:

vim filename.txt

The exacting, complex, highly difficult and dangerous version that tells Vim you want to encrypt the file when you save it looks like this:

vim -x filename.txt

Once a file has been encrypted by Vim once, you never need to use the -x option when opening that file again; Vim will automatically recognize it as an encrypted file and Do The Right Thing. Using the -x option when opening a file that has already been encrypted by Vim should not hurt anything, though.

Because Blowfish is a symmetric key encryption system, the same key is used for both encryption and decryption. When Vim opens a file for the first time with the -x option, the first thing it will do is ask you to give it a key you can use to encrypt and decrypt the file, with this prompt:

Enter encryption key:

After entering the key, you will then be asked to confirm the key, to ensure you did not mistype it.

Enter same key again:

After that point, Vim will act exactly the way it always has, as far as the user can tell. When you save and exit the file, there will then be an encrypted file containing the secret data you put in it. When opening the file with Vim again, the editor will ask you to enter the key needed to decrypt it for you; once open, you can again edit the file just as you would any other, and when you save the file again, it will be encrypted again.

Of course, you probably want to avoid littering your hard drive with Vim's swapfiles, since one of the benefits of using Vim directly for file encryption management is that you do not have to create a decrypted version of the file on the hard drive before editing it, then save it decrypted, and re-encrypt it. That benefit is completely obviated if your editor saves tempfiles full of unencrypted data to disk.

You can do so by creating a special vimrc file -- though you will not want to name it .vimrc because it may then be used by Vim all the time, automatically. Call it something like .encrypted_vim_rc and you can use it with Vim's -u option:

vim -u ~/.encrypted_vim_rc -x filename.txt

That may look like a bit of a virtual "mouthful" to type every time you want to work with encrypted files. A shell alias, such as defining the vimenc alias to execute vim with that set of command line options will help. How exactly you go about setting aliases depends on your shell. In tcsh, for instance:

alias vimenc "vim -u ~/.encrypted_vim_rc -x"

In bash, it would look more like this:

alias vimenc="vim -u ~/.encrypted_vim_rc -x filename.txt"

You will not need to type more than vimenc filename.txt as a command to open a file (whether it has already been encrypted by Vim or not) and encrypt it while saving it, without unencrypted versions of the file being saved to disk as Vim swapfiles while you have the editor open, then. Of course, for this to work, you need that .encrypted_vim_rc file. It should not write unencrypted data to disk if you include the following in that configuration file:

set nobackup

set noswapfile

set nowritebackup

Note that the -u option ensures that Vim does not automatically load any other vimrc files. If you want Vim to use the complete set of configuration options normally sourced by the editor, you can use Vim's source command in your .encrypted_vim_rc file to indicate an additional vimrc configuration file, so that the special configuration file that gets loaded when you run the vimenc command alias now contains these lines:

source ~/.vimrc

set nobackup

set noswapfile

set nowritebackup

Unfortunately, Vim's built-in encryption support is not entirely suitable for sharing encrypted files with others, because its only strong encryption support is the Blowfish cipher. Blowifsh is great, but it is a symmetric key cipher, not a public key cipher. It is great for single-person file encryption tasks, but less so for sharing files with others. This is where external tools must be used with Vim to manage file encryption.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

2 comments
justinmk
justinmk

Chad, thanks for the article--it's one of the few that I found explaining this useful option, allowing me to discard my old home-grown gpg script. Also really glad you pointed out the .swp file settings. Note that in order for vim to use blowfish, you need "set cm=blowfish" in .vimrc (or .encrypted_vim_rc). I've noticed that files encrypted with cm=blowfish are marked with "VimCrypt~02" (instead of the old "VimCrypt~01"). Are you using the setup described in your article, or have you updated your approach since then?

Sterling chip Camden
Sterling chip Camden

Thanks for the info. I see from vim's help that :X can be made to use Blowfish as well.