In a post last year, DIY Encrypted Password Vault, I showed a simple way to use OpenSSL to create encrypted text files. Since I'd need to de-crypt those files to edit them (usually with Vim) there would be an unencrypted temp file sitting around while I was editing. And using a filesystem with history meant they were around for a long time. BAD. Surely there is a better way...
Can we encrypt directly with Vim? Actually, yes...Vim has encryption built in (via the -x flag)...it works and it's simple. Problem is that it uses 'crypt', which is not terribly hard to break. Also, it leaves a cleartext .tmp file around while you're editing it. Which means it's worthless to me for a password safe.
Enter the VIM openssl plugin. This plugin will allow you to write files with particular extensions corresponding to the type of encryption you desire (ex: ..des3 .aes .bf .bfa .idea .cast .rc2 .rc4 .rc5) and it turns off the swap file and .viminfo log, leaving no tmp files around. Excellent! Here's typical usage:
Edit a new file with the .bfa extension:
$ vi test.bfa
Add your secrets and save it out. It will prompt you for a password (twice) to encrypt against.
blah blah blah : secrets of the world ~ ~ ~ ~ :wq enter bf-cbc encryption password: Verifying - enter bf-cbc encryption password:
You can look at the data in the file to see the encrypted content:
$ cat test.bfa U2FsdGVkX1+TPJBn3hsJ6nzsXzDvTXOxdDk1PkWkTDFG45HIvMnZbBNIrnJubPCY EexmfIJpZqo=
To re-open a previously encrypted file, just open it with vi. The plugin automatically recognizes the extension and prompts for your password:
"test.bfa" 2L, 78C enter bf-cbc decryption password:
Pretty slick! You'll need the openssl binary in your path for this to work, which is pretty standard these days. Here is a little script that I run to set this up on my various home directories:
#! /bin/sh test -d ~/.vim || mkdir ~/.vim/ test -d ~/.vim/plugin || mkdir ~/.vim/plugin curl "http://www.vim.org/scripts/download_script.php?src_id=8564" > ~/.vim/plugin/openssl.vim
Edit: 2010+ versions of Vim have blowfish support. Excellent, forward progress! I'm probably not going to upgrade Vim on my Mac and all my servers just for this when a plugin can work. Good to see progress but for now, this makes the most sense for me.