encrypted password vault with Vim + openssl

written by nathan on 2011-02-21 in sysadmin

In a post last year, DIY Encrypted Password Vault, I showed a simple way to use OpenSSL to create encrypted text files. Since I'd need to de-crypt those files to edit them (usually with Vim) there would be an unencrypted temp file sitting around while I was editing. And using a filesystem with history meant they were around for a long time. BAD. Surely there is a better way...

Can we encrypt directly with Vim? Actually, yes...Vim has encryption built in (via the -x flag)...it works and it's simple. Problem is that it uses 'crypt', which is not terribly hard to break. Also, it leaves a cleartext .tmp file around while you're editing it. Which means it's worthless to me for a password safe.

Enter the VIM openssl plugin. This plugin will allow you to write files with particular extensions corresponding to the type of encryption you desire (ex: ..des3 .aes .bf .bfa .idea .cast .rc2 .rc4 .rc5) and it turns off the swap file and .viminfo log, leaving no tmp files around. Excellent!  Here's typical usage:

Edit a new file with the .bfa extension:

$ vi test.bfa

Add your secrets and save it out. It will prompt you for a password (twice) to encrypt against.

blah blah blah : secrets of the world  
enter bf-cbc encryption password:  
Verifying - enter bf-cbc encryption password:

You can look at the data in the file to see the encrypted content:

$ cat test.bfa  

To re-open a previously encrypted file, just open it with vi. The plugin automatically recognizes the extension and prompts for your password:

"test.bfa" 2L, 78C

enter bf-cbc decryption password:

Pretty slick! You'll need the openssl binary in your path for this to work, which is pretty standard these days. Here is a little script that I run to set this up on my various home directories:

#! /bin/sh

test -d ~/.vim || mkdir ~/.vim/  
test -d ~/.vim/plugin || mkdir ~/.vim/plugin  
curl "http://www.vim.org/scripts/download_script.php?src_id=8564"
> ~/.vim/plugin/openssl.vim

Edit: 2010+ versions of Vim have blowfish support. Excellent, forward progress! I'm probably not going to upgrade Vim on my Mac and all my servers just for this when a plugin can work. Good to see progress but for now, this makes the most sense for me.

Tags: diy encryption openssl