encrypted password vault with Vim + openssl

In a post last year, DIY Encrypted Password Vault, I showed a simple way to use OpenSSL to create encrypted text files. Since I'd need to de-crypt those files to edit them (usually with Vim) there would be an unencrypted temp file sitting around while I was editing. And using a filesystem with history meant they were around for a long time. BAD. Surely there is a better way...

Can we encrypt directly with Vim? Actually, yes...Vim has encryption built in (via the -x flag)...it works and it's simple. Problem is that it uses 'crypt', which is not terribly hard to break. Also, it leaves a cleartext .tmp file around while you're editing it. Which means it's worthless to me for a password safe.

Enter the VIM openssl plugin. This plugin will allow you to write files with particular extensions corresponding to the type of encryption you desire (ex: ..des3 .aes .bf .bfa .idea .cast .rc2 .rc4 .rc5) and it turns off the swap file and .viminfo log, leaving no tmp files around. Excellent! Here's typical usage:

Edit a new file with the .bfa extension:

$ vi test.bfa

Add your secrets and save it out. It will prompt you for a password (twice) to encrypt against.

blah blah blah : secrets of the world ~ ~ ~ ~ :wq enter bf-cbc encryption password: Verifying - enter bf-cbc encryption password:

You can look at the data in the file to see the encrypted content:

$ cat test.bfa U2FsdGVkX1+TPJBn3hsJ6nzsXzDvTXOxdDk1PkWkTDFG45HIvMnZbBNIrnJubPCY EexmfIJpZqo=

To re-open a previously encrypted file, just open it with vi. The plugin automatically recognizes the extension and prompts for your password:

"test.bfa" 2L, 78C enter bf-cbc decryption password:

Pretty slick! You'll need the openssl binary in your path for this to work, which is pretty standard these days. Here is a little script that I run to set this up on my various home directories:

#! /bin/sh test -d ~/.vim || mkdir ~/.vim/ test -d ~/.vim/plugin || mkdir ~/.vim/plugin curl "http://www.vim.org/scripts/download_script.php?src_id=8564" > ~/.vim/plugin/openssl.vim

Edit: 2010+ versions of Vim have blowfish support. Excellent, forward progress! I'm probably not going to upgrade Vim on my Mac and all my servers just for this when a plugin can work. Good to see progress but for now, this makes the most sense for me.