Vim apparently has built-in encryption features. From the vim man page:
-x Use encryption when writing files. Will prompt for a crypt key.
The vim docs also call out:
There is never 100% safety. The encryption in Vim has not been tested for robustness.
If youâve ever struggled to exit vim, donât even think about turning on the encryption â âwhen you reopen the file, Vim will ask for the key; if you enter the wrong key, Vim will âdecryptâ it to gibberish content. DO NOT SAVE such a gibberish buffer, or your data will be corrupted.â
history of encryption in vim
The original encryption method in vim was zip (still the default). Itâs a stream cipher based on PKZIP compression, which is about as secure as it sounds. Zip is vulnerable to known-plaintext attacks and uses a RNG that isnât cryptographically secure.
Vim replaced zip with blowfish in 2010. This implementation used cipher feedback mode, with the same IV re-used for the first 8 blocks. David Leadbeater wrote an excellent analysis of these problems and helped contributed a patch for blowfish2.
blowfish2 addressed the IV reuse issues and added a SHA256 MAC on the plaintext. Vimâs documentation describes it as a âmedium strongâ encryption method.
More recently, vim added support for two new methods based on libsodium:
- xchacha20: A newer method that was available but is now deprecated
- xchacha20v2: The current experimental method, using the ChaCha20-Poly1305 AEAD cipher
Thereâs also an interesting discussion on vim_dev about using SHA-256 for the KDF from the password.
what to use instead
If you need to encrypt text files for vim, you probably should reach for age which provides a more modern library and simple interface.