Markus Braun wrote an essential gnupg Vim plugin for Linux/UNIX users who regularly work with GPG encrypted text files at the command line level. (Or, perhaps, for those of you who probably should be working with GPG encrypted text files more often!) Best of all, installation is a one-liner, and it comes with some security benefits, while allowing transparent editing of encrypted files.

One-liner Installation

wget -O ~/.vim/plugin/gnupg.vim \

http://www.vim.org/scripts/download_script.php?src_id=9142

Yes, it’s usually that simple. However, if wget complains that the ~/.vim/plugin directory doesn’t exist, type mkdir -p ~/.vim/plugin to create it.

Usage

Using this plugin really couldn’t be much easier. Simply edit any encrypted file with a .gpg, .pgp, or .asc extension, and you’ll see something like the following:

$ vim top-secret.txt.gpg

"top-secret.txt.gpg" [noeol][converted] 3L, 1045C
You need a passphrase to unlock the secret key for
user: "Ryan Thompson <email@example.org>"
2048-bit ELG-E key, ID 12345678, created 2008-05-26 (main key ID 09876543)

Enter passphrase:

Bingo! Once you key in your passphrase, you will have a normal Vim session with the unencrypted contents of the file. Upon closing the file, the plugin will re-encrypt the file.

It also supports creating new encrypted files. If you edit any nonexistent file with a .gpg, .pgp, or .asc extension, you will first be prompted (within Vim) for a list of recipients in its own buffer:

GPG: ----------------------------------------------------------
GPG: Please edit the list of recipients, one recipient per line
GPG: Unknown recipients have a prepended "!"
GPG: Lines beginning with "GPG:" are removed automatically
GPG: Closing this buffer commits changes
GPG: ----------------------------------------------------------

It’s even smart enough to detect whether recipients are in your public keyring, and will alert you if any errors arise.

Typing the command :GPGEditRecipients will allow you to edit the recipient list on-the-fly.

Security Considerations

No matter which installation method you choose, I highly recommend you verify the download, especially when dealing with software that you are about to trust with your encryption and key data!

This plugin actually takes some additional precautions that would be difficult to achieve manually. This plugin:

• Does not use temp files. All editing is done in RAM; the plaintext is never written to disk
• Automatically disables the Vim swapfile and viminfo, to prevent cached copies of the data from being saved on disk
• Overrides Vim’s “write” command such that it writes back the encrypted file from the buffer

In short, this plugin makes encryption significantly easier to use on a daily basis, without compromising security (depending on your existing habits, it may arguably handle editing more securely). If that gives you the freedom to encrypt sensitive material that you previously couldn’t be bothered to encrypt, that’s a pretty big win (assuming, of course, that your Poodle doesn’t eat your private key–but that’s a topic for another article). My thanks to Markus for creating this.