Vim is a powerful text editor which can be found installed by default on most *nix systems. One handy security feature of vim is the built-in support for file encryption. This is a quick and easy way to password protect your personal files to prevent anyone from accessing sensitive information.
Encryption Methods
Encryption in vim has existed for a number of years but it wasn’t until 2010 with the addition of the powerful Blowfish encryption method that it has been considered properly secure.
Even better is the improved blowfish2 method which has been available since version 7.4. To verify which version of vim is installed on your system, run this command:
vim --version
For OSX users you can maintain the very latest version of vim with the Homebrew package manager:
brew install vim --override-system-vim
The first step is to configure vim to use blowfish2 for encryption. This setting can be permanently stored by adding the following to your ~/.vimrc file:
set cm=blowfish2
.vimrc is a configuration file used to store custom vim settings and is loaded each time vim is opened. The file should be placed in your $HOME directory if it does not exist already.
Encrypt files
To get started with file encryption, open vim with the -x option:
vim -x info.txt
If the specified file does not exist then vim will create one.
The first thing you will see is the encryption key prompt. Choose a memorable password and press the enter key, you will then be asked to confirm the choice by entering it a second time:
File encryption can also be enabled at anytime within vim, simply type :X when in normal mode.
When you are happy with your document, type :w to save the file or :wq to save and exit vim.
A quick way to verify if your data is encrypted is to run the helpful file command:
file info.txt
This command will evaluate the contents of a file to determine the true file type. If your data is successfully encrypted you will see a similar message:
Decrypt files
When an encrypted file is opened with another text editor or document viewer, you will be greeted with a stream of unintelligible characters:
Opening with vim however, you will be prompted to enter the encryption key before proceeding.
Entering the correct key will temporarily decrypt the file allowing you to view and edit the contents. When you next exit the file the encryption will remain.
An further example of the encryption / decryption process is demonstrated in this asciicast:
Change Encryption Key
If you would like to use a different key to access your encrypted file there are a number of ways to change it.
One method is to pass the +X option when opening an encrypted file:
vim +X info.txt
First you will be prompted to enter the existing key, then you will be asked to set and confirm a new choice.
To change the key within vim, you can either type :X and enter a new choice or you can directly set a new key with this command:
:set key=password
The new key should be in place of password in the above example.
With this method there will not be any visual feedback to indicate the change, but after saving and exiting the key will be updated.
Remove encryption
To permanently decrypt a file, the steps are similar to the previous key change methods. If an empty encryption key is specified then the file encryption will be removed. This can easily be done by pressing the enter key twice after typing the :X command, setting no password and removing encryption.
Another quick method is to run this direct command:
:set key=
Remember to save your file after these commands to confirm the disabled encryption status.
To ensure the highest level of protection for your encrypted data, there are a few extra configuration options. By default, vim will store file backups and session information which could pose a risk of exposing data.
Add the following to your ~/.vimrc file to disable these features:
set viminfo=
set nobackup
set nowritebackup
Summary
The Vim encryption covered in this article is a great way to quickly protect personal files, but just keep in mind that it is not an ultra high-security solution. Remember to use a long encryption key and try not to store anything too sensitive.