Using Vim to Store Passwords and Other Secrets in an Encrypted File
Updated  2022-December-30

Page contents

News

2022-October-14  As of today, this evolving⁠[1] article has been on the web for 1 year.🎂

Prerequisites

This article assumes…

  • you know the basics of Vim, including how to switch between normal mode and insert mode,

  • you know how to create and edit a vimrc file,

  • and you are using Vim v7.4.399⁠[2] or newer.

 

Terminology

In this article, Vim means either terminal Vim (vim) or GUI Vim (gvim).

 

Setting up Vim encryption

Note that the commands in this section are run within Vim.

If Vim is built with the cryptv feature, you can use it to create, view, and edit an encrypted file. To see if your version of Vim supports this, run:

:version

If your version of Vim supports encryption, the following will be displayed in the list of features.

+cryptv

To learn what types of encryption are supported by your version of Vim, run:

:help cryptmethod

This will list some or all of the following encryption methods.

zip
blowfish
blowfish2
xchacha20

In 2022, Vim’s default cryptmethod is blowfish2. To display your Vim’s current cryptmethod, run either of the following equivalent commands.

:set cryptmethod?
:set cm?
       ^
       Note the question mark

If you are using Vim v8.1.0606⁠[3] or newer, this should display:

cryptmethod=blowfish2

If it does not display this, do one of the following.

  1. Put the following in your vimrc.

    set cryptmethod=blowfish2

  2. Or update to Vim v8.1.0606⁠[3] or newer.⁠[4]

 

Vim v7.4.399⁠[2] or newer is needed to use blowfish2 encryption.

 

Using Vim encryption

To encrypt a file with Vim:

  1. Open the file in Vim.

  2. In command mode, run :X (note that X must be upper case).

  3. At the Enter encryption key: prompt, type a password.

  4. At the Enter same key again: prompt, retype the password.

  5. Save the file.

  6. Quit Vim.

 

To decrypt, edit, and re-encrypt a file with Vim:

  1. Attempt to open the file in Vim.

  2. At the Enter encryption key: prompt, type the file’s password.

  3. If you mistyped the file’s password…

    1. Close the file without saving it. For example by using Esc:q

  4. If you correctly typed the file’s password…

    1. Edit the file.

    2. Save the file.

    3. Quit Vim.

 

  • Do not forget an encrypted file’s password.

  • If you open an encrypted file and it looks like gibberish, close it without saving it.

  • Do not use Vim’s zip or blowfish encryption for anything important. Instead, use blowfish2[2] or xchacha20.

  • Neovim, which is also known as nvim, does not support encryption.

 

💡

If a Vim-encrypted file has been renamed and/or is on another device, it can be decrypted by any version of Vim that supports the used encryption method (e.g. blowfish2). This means that you can, for example, keep a copy of your encrypted-secrets file on a USB drive⁠[5] and open the file on any device with any Vim (v7.4.399+).⁠[2]

 

References

To view the results of the above three :help commands, either follow the links (each of which go to vimhelp.org) or run these commands within Vim.

 

See also

For more about Vim, see Infinite Ink’s…

 

Endnotes

1. Many Infinite Ink articles, including this one, are evergreen and regularly updated.
2. Starting with Vim v7.4.399, blowfish2 is available as a cryptmethod. Vim v7.4.399 was released 2014-⁠August-⁠10 (more than 8 years ago).
3. Starting with Vim v8.1.0606, the default cryptmethod is blowfish2. Vim v8.1.0606 was released 2018-⁠December-⁠16 (more than 4 years ago).
4. Another reason to update Vim is the :terminal command, which launches an integrated terminal emulator. :terminal, which is equivalent to :ter and :term, was introduced in Vim v8.1.
5. A USB drive is also known as a USB stick, thumb drive, flash drive, etc.

Feedback 📝 🤔 👎 👍