Editing GPG-encrypted files in Vim

Update 2012-03-06: gnupg.vim now has a new maintainer. Link updated.

I’m always looking for a better way to digitally store private data, like passport numbers, credit cards, and server root passwords. Unfortunately, good encryption is hard to find. I have yet to find a solution better than “GPG-encrypted text files edited with a secure editor”. For five years I’ve used KGpg‘s built-in text editor for this, but it has a number of limitations. Today, I discovered that I can do it natively within Vim.

Start by downloading the gnupg Vim plugin. Copy this file to ~/.vim/plugin.

mkdir -p ~/.vim/plugin/
cd ~/.vim/plugin/
wget http://www.vim.org/scripts/script.php?script_id=3645

Now you need to set an environment variable. Add this to ~/.bashrc or some place sourced by your shell.

export GPG_TTY=`tty`

You can now use the plugin, but you’ll probably want to set some defaults. These tell the plugin to prefer ASCII-armored files, and sets your default recipient list. Both only apply to newly-created files. Add this to ~/.vimrc.

let g:GPGPreferArmor=1
let g:GPGDefaultRecipients=["name@example.com"]

You can now open, edit, and save encrypted files transparently. They must have a “.gpg”, “.pgp” or “.asc” suffix.

vim test.asc

GPG: ----------------------------------------------------------------------
GPG: Please edit the list of recipients, one recipient per line.
GPG: Unknown recipients have a prepended "!".
GPG: Lines beginning with "GPG:" are removed automatically.
GPG: Data after recipients between and including "(" and ")" is ignored.
GPG: Closing this buffer commits changes.
GPG: ----------------------------------------------------------------------
Alice Mallory <name@example.com>             (ID: 0x13DF7065B198DDCC created at Tue 10 Aug 2010 15:52:29 UTC)
~                                                                                                     
~                                                                                                     
~                                                                                                     
~                                                                                                     
GPGRecipients_test.asc                                                              8,1            All

:wq

Enter your data.

Here is my data.

:wq

Quit and it will be encrypted.
cat test.asc

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.10 (GNU/Linux)

hQIOA0jvXUCszfqLEAf8DRIhhYZNdjZEGvHbfS7hiUt8Qg4ZWVg1w73czE+lJ9oI
yMP89HeG5YKVTNkBT1/1jqANsIb2sY5eAnGlS4/hbFi+ClCQQuT5wPq2AKtSuNxO
D3yLjs0bG5EtF/3Ib/+cETH/nkl0jEIEPOrwuL4kr0SFrl+yypo6CZHfp1WCAsaH
IdhNrj813tzsM/+gvjv7lhDbL7GjTtU0sNDeb0dDvmsUtsYCiNt7/SNz7wZebdBb
q8O4WP2tCSdTrZeWNvG5HBu8tpZKhNsfel2elwZOyvo+auxjHz22HJ7PpQfBsrAR
uRiIlqyrRjeScQ/FwSgTuVaNTbp4XNPG2XWyeWVt2ggAjuloz4j5n3P2UCBS2hiS
SHBtWIGVQDLFY2LeBCcSuhl9YT74M9ucPUN6ya79cdW4JpnekaID5xKjlDHAfdT6
cnkoPSoCZ8b4zkeT0UAeyT4SBRqYyNtdusUJ9AEfBCQi9oSnh0WGpP2BjWatzPTA
OYY0kKRclhjmRrPrBko8G7MDzQMSGgj/H52Mk5VJWxrUU8l4QnlmbeTo0dBWFo0t
nC+kFcirSyWByUF/MGidL6i5XNBq/POp5OpjX3YWwjqhelvB8g4MJYSiWKpKNpnG
rHbUIbH5g/8C2PVwvaHlnBMkLIBwnLANfD0x+h/1NiukJbPa1Jb8MCmsPzHwkmTL
jsknv+BdY5weVx4+TPLIyRpH5UWiqSj9U5/mxEPHXuMZ5ClwnQwCbva+
=Ulzh
-----END PGP MESSAGE-----

gpg -d test.asc

Here is my data.

As always, using gpg-agent is a good idea. If you’re using Ubuntu, you are probably already doing this.