wholemeal

Chunky | Goodness

Secure Password Storage With Vim and GnuPG

There are a raft of tools out there for secure storage of passwords, but they will all come and go, Vim and GnuPG are forever.

Here’s the config:

augroup encrypted
    au!

    " First make sure nothing is written to ~/.viminfo while editing
    " an encrypted file.
    autocmd BufReadPre,FileReadPre      *.gpg set viminfo=
    " We don't want a swap file, as it writes unencrypted data to disk
    autocmd BufReadPre,FileReadPre      *.gpg set noswapfile
    " Switch to binary mode to read the encrypted file
    autocmd BufReadPre,FileReadPre      *.gpg set bin
    autocmd BufReadPre,FileReadPre      *.gpg let ch_save = &ch|set ch=2
    autocmd BufReadPost,FileReadPost    *.gpg '[,']!gpg --decrypt 2> /dev/null
    " Switch to normal mode for editing
    autocmd BufReadPost,FileReadPost    *.gpg set nobin
    autocmd BufReadPost,FileReadPost    *.gpg let &ch = ch_save|unlet ch_save
    autocmd BufReadPost,FileReadPost    *.gpg execute ":doautocmd BufReadPost " . expand("%:r")

    " Convert all text to encrypted text before writing
    autocmd BufWritePre,FileWritePre    *.gpg   '[,']!gpg --default-recipient-self -ae 2>/dev/null
    " Undo the encryption so we are back in the normal text, directly
    " after the file has been written.
    autocmd BufWritePost,FileWritePost  *.gpg   u

    " Fold entries by default
    autocmd BufReadPre,FileReadPre      *.gpg set foldmethod=expr
    autocmd BufReadPre,FileReadPre      *.gpg set foldexpr=getline(v:lnum)=~'^\\s*$'&&getline(v:lnum+1)=~'\\S'?'<1':1
augroup END

Now, open a file, say super_secret_passwords.gpg and enter your passwords with a blank line between each set:

My Twitter account
malc : s3cr3t

My Facebook account
malc : s3cr3t

My LinkedIn account
malc : s3cr3t

When you write the file out, it will be encrypted with your GPG key. When you next open it, you’ll be prompted for your GPG private key passphrase to decrypt the file.

The line folding config will mean all the passwords will be hidden by default when you open the file, you can reveal the details using zo (or right arrow / l) with the cursor over the password title.

I like this system because as long as I have gpg and my private key available, I can extract any long lost password from my collection.

Posted by Malcolm Locke

Comments