Using Vim to Store Passwords and Other Secrets in an Encrypted File
Updated 2021-December-3

Page contents

News

2021-October-14  Published this evolving⁠[1] article.

Prerequisites

This article assumes…

  • you know the basics of Vim, including how to switch between command mode and insert mode,

  • you know how to create and edit a vimrc file,

  • and you are using Vim v7.4.399⁠[2] or newer.

 

Terminology

In this article, Vim means either terminal Vim (vim) or GUI Vim (gvim).

 

Setting up Vim encryption

Note that the commands described in this section are run from within Vim.

If Vim is built with the cryptv feature, you can use it to create, view, and edit an encrypted file. To see if your version of Vim supports this, run:

:version

If your version of Vim supports encryption, the following will be displayed in the list of features.

+cryptv

To learn what types of encryption are supported by your version of Vim, run:

:help cryptmethod

This will list some or all of the following encryption methods.

zip
blowfish
blowfish2
xchacha20

In 2021-October, blowfish2 is recommended and is the default. To display your Vim’s current default cryptmethod, run either of the following equivalent commands.

:set cryptmethod?
:set cm?
       ^
       Note the question mark

If you are using Vim v8.1.0606⁠[3] or newer, this should display:

cryptmethod=blowfish2

If it does not display this, do one of the following.

  1. Put the following in your vimrc.

    set cryptmethod=blowfish2
  2. Or update to Vim v8.1.0606⁠[3] or newer.⁠[4]

 

Vim v7.4.399⁠[2] or newer is needed to use blowfish2 encryption.

 

Using Vim encryption

To encrypt a file with Vim:

  1. Open the file in Vim.

  2. In command mode, run :X (note that X must be upper case).

  3. At the Enter encryption key: prompt, type a password.

  4. At the Enter same key again: prompt, retype the password.

  5. Save the file.

  6. Quit Vim.

 

To decrypt, edit, and re-encrypt a file with Vim:

  1. Attempt to open the file in Vim.

  2. At the Enter encryption key: prompt, type the file’s password.

  3. If you mistyped the file’s password…

    1. Close the file without saving it. For example by using Esc:q

  4. If you correctly typed the file’s password…

    1. Edit the file.

    2. Save the file.

    3. Quit Vim.

 

  • Do not forget an encrypted file’s password.

  • If you open an encrypted file and it looks like gibberish, close it without saving it.

  • Do not use Vim’s zip or blowfish encryption for anything important.

  • Neovim, which is also known as nvim, does not support encryption.

 

💡

If a Vim-encrypted file has been renamed and/or is on another device, it can be decrypted by any version of Vim that supports the used encryption method (e.g. blowfish2). This means that you can, for example, keep a copy of your encrypted-secrets file on a USB drive⁠[5] and open the file on any device with any Vim (v7.4.399+).⁠[2]

 

References

To view the above three references, run these commands from within Vim or follow the links (which all go to vimhelp.org).

 

See also

Endnotes


1. Many Infinite Ink articles, including this one, are evergreen and regularly updated.
2. Starting with Vim v7.4.399, blowfish2 is available as a cryptmethod. Vim v7.4.399 was released 2014-⁠August-⁠10 (more than 6 years ago).
3. Starting with Vim v8.1.0606, the default cryptmethod is blowfish2. Vim v8.1.0606 was released 2018-⁠December-⁠16 (more than 2 years ago).
4. Another reason to update Vim is the :terminal command, which launches an integrated terminal emulator. The :terminal command, which is equivalent to :ter and :term, was introduced in Vim v8.1.

Comments and questions 📝 👍 👎 🤔

Your public comment or question might immediately improve this page or help me to (eventually) improve this page.