Recipe 7.24 Maintaining Encrypted Files with vim

7.24.1 Problem

You want to edit encrypted files in place with vim, without decrypting them to disk.

7.24.2 Solution

Add the following lines to your ~/.vimrc file:

" Transparent editing of GnuPG-encrypted files
" Based on a solution by Wouter Hanegraaff
augroup encrypted

    " First make sure nothing is written to ~/.viminfo while editing
    " an encrypted file.
    autocmd BufReadPre,FileReadPre      *.gpg,*.asc set viminfo=
    " We don't want a swap file, as it writes unencrypted data to disk.
    autocmd BufReadPre,FileReadPre      *.gpg,*.asc set noswapfile
    " Switch to binary mode to read the encrypted file.
    autocmd BufReadPre,FileReadPre      *.gpg       set bin
    autocmd BufReadPre,FileReadPre      *.gpg,*.asc let ch_save = &ch|set ch=2
    autocmd BufReadPost,FileReadPost    *.gpg,*.asc 
             \ '[,']!sh -c 'gpg --decrypt 2> /dev/null'
    " Switch to normal mode for editing
    autocmd BufReadPost,FileReadPost    *.gpg       set nobin
    autocmd BufReadPost,FileReadPost    *.gpg,*.asc let &ch = ch_save|unlet ch_save
    autocmd BufReadPost,FileReadPost    *.gpg,*.asc 
             \ execute ":doautocmd BufReadPost " . expand("%:r")

    " Convert all text to encrypted text before writing
    autocmd BufWritePre,FileWritePre    *.gpg 
             \ '[,']!sh -c 'gpg --default-recipient-self -e 2>/dev/null'
    autocmd BufWritePre,FileWritePre    *.asc 
             \ '[,']!sh -c 'gpg --default-recipient-self -e -a 2>/dev/null'
    " Undo the encryption so we are back in the normal text, directly
    " after the file has been written.
    autocmd BufWritePost,FileWritePost  *.gpg,*.asc u
augroup END

7.24.3 Discussion

vim can edit GnuPG-encrypted files transparently, provided they were encrypted for your key of course! If the stanza in our recipe has been added to your ~/.vimrc file, simply edit an encrypted file. You'll be prompted for your passphrase, and the decrypted file will be loaded into the current buffer for editing. When you save the file, it will be re-encrypted automatically.

vim will recognize encrypted file types by their suffixes, .gpg for binary and .asc for ASCII-armored. The recipe carefully disables viminfo and swap file functionality, to avoid storing any decrypted text on the disk.

The gpg commands in the recipe use public-key encryption. Tailor the command-line options to reflect your needs.

Incidentally, vim provides its own encryption mechanism, if vim was built with encryption support: you can tell by running vim ?version or using the :version command within vim, and looking for +cryptv in the list of features. To use this feature when creating a new file, run vim -x. For existing files, vim will recognize encrypted ones automatically, so -x is optional.

We don't recommend vim -x, however, because it has some significant disadvantages compared to GnuPG:

  • It's nonstandard: you can encrypt and decrypt these files only with vim.

  • It's weaker cryptographically than GnuPG.

  • It doesn't automatically disable viminfo or swap files. You can do this manually by setting the viminfo and swapfile variables, but it's easy to forget and leave decrypted data on the disk as a consequence.

7.24.4 See Also

Wouter Hanegraaff's original solution can be found at

    Chapter 9. Testing and Monitoring