Encrypted Text Files with VIM

Working with Encrypted Files

VIM can be used to work with encrypted text files for some sensative data.

By default, working with VIM is not secure, but the .vimrc can be configured to make VIM relatively secure.

Plugins and custom functions in .vimrc pose a risk, theforefore, keep the secure VIM configuration as simple as possible. The recommended configuration below will minimize the risk.

.vimrc configurations:

1
2
3
4
5
6
7
""=====[ Security / Encryption ]=================
set cryptmethod=blowfish2  " Set encryption method               (1)
set nobackup               " Prevent leakage of sensative data   (2)
set nowritebackup          " "" (2)
set noswapfile             " "" (2)
set viminfo=               " Disable information about your session (3)
set secure                 " Limit potentially unsecure write operations (4)
1This is the most secure encryption method available in VIM and it is very secure.
2Prevent writing sensative data to the disk, which can potentially be read by other programs or logged-in users.
3Information about your session can contain sensative data that can be comprimized.
4For more information, in VIM :h secure

Teminal command when working encrypted text files:

$ vim --version              (1)
$ vim -x myencryptedfile.txt (2)
$ file myencryptedfile.txt   (3)
1VIM version must be at least 7.4 with patch level 401
2Edit the file with encryption enabled.
3Check the file type

VIM commands when working with encrypted files:

:h :X                      " Documentation on VIM encryption
:X                         " Save and encrypt an open file
:setlocal cm?              " Show encryption method for the current file
:setlocal cm=zip           " weak (default for backwards-compatibility)
:setlocal cm=blowfish      " strong, older
:setlocal cm=blowfish2     " best (requires Vim version 7.4.401 or higher)

Secure and Full Featured VIM configurations

It may be desirable to have a secure and full featured VIM configuration. One option is to use VIM as a secure editor and neovim as full featured editr. The default configuration files are:

  1. VIM: ~/.vimrc

  2. neovim: ~/.config/nvim/init.vim

Another option is to have multiple VIM configuration files, for example:

  1. Full featured VIM: ~/.vimrc

  2. Secure VIM: ~/.svimrc

To start the full featured vim, use vim command. To start the secure vim, use vim -u ~/.svimrc. An alias can be added for secure vim:

alias svim="vim -u ~/.svimrc"