Encrypting with vim


Last week I suggested that application-specific encryption can solve some data confidentiality problems better than a sweeping approach like whole-disk encryption. One thing you learn in Learning Tree’s Linux introduction course, or the Linux server administration course that follows it, or the optimization and troubleshooting course or another follow-up, is that you are never done learning more skills with some of the more complex commands like the vim editor!

The Best Way to Encrypt with vim

The safest way to do this is to add the following to your ~/.vimrc file:

set cm=blowfish2
set viminfo=
set nobackup
set nowritebackup

The first line sets the “cryptmethod” to blowfish2. This uses the Blowfish cipher in an improved mode. If you set this to simply blowfish without the “2”, it does use the Blowfish cipher, but in a strangely weakened mode.

The second line suppresses the use of a ~/.viminfo file. That file can be handy, as it remembers where you were within each file, your recent searches, and other recent details, but therein lies the danger! The third and fourth lines suppress similarly dangerous use of backup files.

You use encryption by pressing :X within a vim session. You will be asked for a pass phrase (twice), and from now on that file will be saved in encrypted mode. You will see [blowfish2] on the status line at bottom when you write out the file. A salt is used, so each subsequent encryption of the same cleartext with the same pass phrase generates different ciphertext.

The next time you try to open the file, you will be asked for the pass phrase. Anything other than the correct pass phrase puts you into a buffer of ciphertext gibberish.

We need vim version 7.3 or later to support the weaker blowfish, and version 7.4.399 or later for blowfish2.

The Best Method Is Not Yet Portable

I became enthused about this after some experimentation on my laptop where I run OpenBSD, a UNIX-family operating system designed for security. OpenBSD includes vim version 7.4.769.

Unfortunately, many otherwise current Linux distributions do not include recent enough vim to support the blowfish2 method! RHEL and CentOS 7, for example, come with vim version 7.4.160.

What’s The Difference?

The weaker blowfish isn’t so weak as to run the cipher in ECB or Electronic Codebook Mode, but it’s close. A very short explanation here says that blowfish2 uses CFB or Cipher Feedback Mode on 64-bit blocks.

Let’s test this!

I created a file with one long line of 511 “o” characters, and vim will put a newline at the end. I made two copies, testfile-blowfish and testfile-blowfish2. Then I encrypt each file with vim in the corresponding mode.

Here’s the better version. Even though the cleartext is constant, the ciphertext looks random. This is what we want:

$ file testfile-blowfish2
testfile-blowfish2: Vim encrypted file data
$ hexdump -C testfile-blowfish2 | head
00000000  56 69 6d 43 72 79 70 74  7e 30 33 21 d8 fa 79 1b  |VimCrypt~03!..y.|
00000010  5c 7a f6 42 1a 13 44 56  96 da 1c 78 ce da bc 60  |\z.B..DV...x...`|
00000020  7c cf 67 2f 6d 12 bb ce  56 4d 05 27 a5 dc 96 a2  ||.g/m...VM.'....|
00000030  c7 09 6b 38 d9 48 b3 2a  e3 ab a2 0e 6d ac 32 7a  |..k8.H.*....m.2z|
00000040  fb 6d 5f ba 46 f1 fb 2d  84 d9 28 69 f9 1a 0d b6  |.m_.F..-..(i....|
00000050  52 04 2f 9b 55 f7 e6 10  9c d2 9c 8b 3a 7f 81 24  |R./.U.......:..$|
00000060  83 c2 65 20 cf 47 19 af  4a d9 67 34 92 82 9a b5  |..e .G..J.g4....|
00000070  7b a7 34 54 de 6a 7f 64  bc d8 35 55 b6 0f c2 5f  |{.4T.j.d..5U..._|
00000080  7c 44 38 13 03 cf da 74  96 89 f1 03 d9 87 f6 57  ||D8....t.......W|
00000090  6b a5 d7 3d 07 60 4f 4d  12 28 23 fd 01 b7 77 2e  |k..=.`OM.(#...w.|

Unfortunately, when I copy that to the latest RHEL/CentOS, their older vim reports that the file is encrypted with an unknown method.

Here’s the weaker version. There is a 12 byte header and then repeating patterns appear in the ciphertext — 8 repeats each of 8-byte patterns. Information is leaking through!

$ file testfile-blowfish
testfile-blowfish: Vim encrypted file data
$ hexdump -C testfile-blowfish
00000000  56 69 6d 43 72 79 70 74  7e 30 32 21 b1 79 66 42  |VimCrypt~02!.yfB|
00000010  54 f5 3d e0 7f af 09 70  cb 9e e2 a9 e9 91 5e 4c  |T.=....p......^L|
00000020  24 04 3f 10 e9 91 5e 4c  24 04 3f 10 e9 91 5e 4c  |$.?...^L$.?...^L|
00000050  24 04 3f 10 e9 91 5e 4c  24 04 3f 10 6f 86 fb 2c  |$.?...^L$.?.o..,|
00000060  cb f7 d7 da 6f 86 fb 2c  cb f7 d7 da 6f 86 fb 2c  |....o..,....o..,|
00000090  cb f7 d7 da 6f 86 fb 2c  cb f7 d7 da 44 fc 47 01  |....o..,....D.G.|
000000a0  04 08 33 96 44 fc 47 01  04 08 33 96 44 fc 47 01  |..3.D.G...3.D.G.|
000000d0  04 08 33 96 44 fc 47 01  04 08 33 96 e8 eb d9 d0  |..3.D.G...3.....|
000000e0  0b 02 f4 0e e8 eb d9 d0  0b 02 f4 0e e8 eb d9 d0  |................|
00000110  0b 02 f4 0e e8 eb d9 d0  0b 02 f4 0e 83 5d 22 ea  |.............]".|
00000120  4d 99 d7 ee 83 5d 22 ea  4d 99 d7 ee 83 5d 22 ea  |M....]".M....]".|
00000150  4d 99 d7 ee 83 5d 22 ea  4d 99 d7 ee c3 06 fd 96  |M....]".M.......|

What To Do?

For now, the weaker blowfish method is strong enough for some applications, and I’ll use it in the interest of portability. But I will keep watching the major Linux distributions to see when their vim catches up!

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.