[ANN] Plugin: VimCrypt: A small framework for encryption and decryption in vim. (supports openssl and gpg)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[ANN] Plugin: VimCrypt: A small framework for encryption and decryption in vim. (supports openssl and gpg)

mwnx
Hello vim_use,

I created a plugin called VimCrypt to enable seamless reading and writing of
encrypted files in vim, which I find useful for password lists and other
sensitive information. Right now, it supports *openssl* and *gpg*, and can
be extended to support other methods.

It is inspired by, and compatible with, Noah Spurrier's ssl.vim. So for
anyone else that has been using that plugin (as I have), vim will still be
able to read files encrypted through that plugin. It also fixes some bugs
present in ssl.vim, and in particular the one where wrongly entering a
password after :w would just cause the file to be written out in plaintext.

Github: https://github.com/mwnx/vimcrypt

--
mwnx
GPG: AEC9 554B 07BD F60D 75A3  AF6A 44E8 E4D4 0312 C726

--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.

signature.asc (220 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [ANN] Plugin: VimCrypt: A small framework for encryption and decryption in vim. (supports openssl and gpg)

Justin M. Keyes
On Sun, Sep 13, 2015 at 6:26 AM, mwnx <[hidden email]> wrote:

> Hello vim_use,
>
> I created a plugin called VimCrypt to enable seamless reading and writing of
> encrypted files in vim, which I find useful for password lists and other
> sensitive information. Right now, it supports *openssl* and *gpg*, and can
> be extended to support other methods.
>
> It is inspired by, and compatible with, Noah Spurrier's ssl.vim. So for
> anyone else that has been using that plugin (as I have), vim will still be
> able to read files encrypted through that plugin. It also fixes some bugs
> present in ssl.vim, and in particular the one where wrongly entering a
> password after :w would just cause the file to be written out in plaintext.
>
> Github: https://github.com/mwnx/vimcrypt

Other than support SSL, how does it compare to
https://github.com/jamessan/vim-gnupg ?

Justin M. Keyes

--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [ANN] Plugin: VimCrypt: A small framework for encryption and decryption in vim. (supports openssl and gpg)

mwnx
On Mon, Sep 14, 2015 at 08:28:18AM -0400, Justin M. Keyes wrote:
> Other than support SSL, how does it compare to
> https://github.com/jamessan/vim-gnupg ?
>
> Justin M. Keyes

Well, before coding this plugin, I did take a look at vim-gnupg, but it just
seemed to be trying to do too much.

vimcrypt has a much simpler interface for gnupg where you just provide the
gpg shell command yourself (minus input and output). Combined with the reuse
of generic code between the gpg and ssl part, you get a pretty minimalistic
plugin.

For comparison, vim-gnupg has over 1000 non comment lines of code, and these
are the results for vimcrypt:

   43 autoload/gpg.vim
   60 autoload/ssl.vim
  157 autoload/vimcrypt.vim
    4 plugin/gpg.vim
   12 plugin/ssl.vim
   35 plugin/vimcrypt.vim
   14 autoload/vimcrypt/fold.vim
    8 autoload/vimcrypt/util.vim
  333 total

Especially for anything relating to security and cryptography, I tend to
prefer simpler and smaller code.

That being said, I have not tried out vim-gnupg so if there are any features
that you find are lacking in vimcrypt, please let me know.

--
mwnx
GPG: AEC9 554B 07BD F60D 75A3  AF6A 44E8 E4D4 0312 C726

--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [ANN] Plugin: VimCrypt: A small framework for encryption and decryption in vim. (supports openssl and gpg)

Erik Christiansen
In reply to this post by mwnx
On 13.09.15 12:26, mwnx wrote:
> I created a plugin called VimCrypt to enable seamless reading and writing of
> encrypted files in vim, which I find useful for password lists and other
> sensitive information. Right now, it supports *openssl* and *gpg*, and can
> be extended to support other methods.

Is there any comparison documentation we can read, preferably with
metrics, of the plugin versus simply using cryptmethod=blowfish in Vim's
integrated encryption? Mucking with plugins does sometimes introduce
conflicts, and the probability of that increases with the number used.
So I'd be looking for some sort of offsetting benefit.

Erik


--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [ANN] Plugin: VimCrypt: A small framework for encryption and decryption in vim. (supports openssl and gpg)

mwnx
On Tue, Sep 15, 2015 at 07:00:04PM +1000, Erik Christiansen wrote:

> On 13.09.15 12:26, mwnx wrote:
> > I created a plugin called VimCrypt to enable seamless reading and writing of
> > encrypted files in vim, which I find useful for password lists and other
> > sensitive information. Right now, it supports *openssl* and *gpg*, and can
> > be extended to support other methods.
>
> Is there any comparison documentation we can read, preferably with
> metrics, of the plugin versus simply using cryptmethod=blowfish in Vim's
> integrated encryption? Mucking with plugins does sometimes introduce
> conflicts, and the probability of that increases with the number used.
> So I'd be looking for some sort of offsetting benefit.
>
> Erik

Not sure what kinds of metrics you're talking about. An advantage of this
plugin over vim's integrated blowfish support is that it's compatible with
standard tools, which is useful if you want to be able to read files created
by vim outside of vim, or if you want to be able to read files created by a
standard tool (gpg or openssl) inside of vim.

Also, blowfish seems to no longer be a very recommended cipher. From
wikipedia:

    Blowfish is known to be susceptible to attacks on reflectively weak
    keys.[8] [9] This means Blowfish users must carefully select keys as
    there is a class of keys known to be weak, or switch to more modern
    alternatives like the Advanced Encryption Standard, Salsa20, or
    Blowfish's more modern successors Twofish and Threefish. Bruce Schneier,
    Blowfish's creator, is quoted in 2007 as saying "At this point, though,
    I'm amazed it's still being used. If people ask, I recommend Twofish
    instead."[10] The FAQ for GnuPG (which features Blowfish as one of its
    algorithms) recommends that Blowfish should not be used to encrypt files
    that are larger than 4 Gb because of its small 64-bit block size.[11]

Not to mention the fact that –as far as I've surmised– vim decided to create
its own implementation of blowfish instead of using one that has already had
time to undergo public scrutiny, such as GPG's implementation.

All in all, I just don't see why I should trust using the blowfish algorithm
to encrypt sensitive information at this stage when there are much better
alternatives out there which are readily available. And I especially can't
trust any kind of in-house implementation of it.

That being said, if you're only trying to protect your password safe –which
you only open with vim anyway– from your little sister, vim's built-in
encryption will be quite sufficient. It all really just depends on your use
cases and attack models.

For more information on vimcrypt's capabilities, all the documentation is in
doc/vimcrypt.txt (https://github.com/mwnx/vimcrypt/blob/master/doc/vimcrypt.txt).

--
mwnx
GPG: AEC9 554B 07BD F60D 75A3  AF6A 44E8 E4D4 0312 C726

--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [ANN] Plugin: VimCrypt: A small framework for encryption and decryption in vim. (supports openssl and gpg)

Erik Christiansen
On 15.09.15 12:17, mwnx wrote:
> Not sure what kinds of metrics you're talking about.

Thank you, the Wikipedia reference is enough to gain an idea of
blowfish's current security. In the first paragraph: "Blowfish provides
a good encryption rate in software and no effective cryptanalysis of it
has been found to date."

That said, with cm=blowfish, Vim does now (7.4.688) say:

Warning: Using a weak encryption method; see :help 'cm'
Enter encryption key:

Changing to cm=blowfish2 has fixed that, catching up with developments
sufficiently for my use case, I think. (I have one 5 kB encrypted file,
i.e. so much less than 4 GB, that there isn't enough text on which to do
much useful cryptanalysis.)

> Also, blowfish seems to no longer be a very recommended cipher. From
> wikipedia:
>
>     Blowfish is known to be susceptible to attacks on reflectively weak
>     keys.[8] [9] This means Blowfish users must carefully select keys as
>     there is a class of keys known to be weak, or switch to more modern
>     alternatives like the Advanced Encryption Standard, Salsa20, or
>     Blowfish's more modern successors Twofish and Threefish. Bruce Schneier,
>     Blowfish's creator, is quoted in 2007 as saying "At this point, though,
>     I'm amazed it's still being used. If people ask, I recommend Twofish
>     instead."[10] The FAQ for GnuPG (which features Blowfish as one of its
>     algorithms) recommends that Blowfish should not be used to encrypt files
>     that are larger than 4 Gb because of its small 64-bit block size.[11]

Skimming through reference [9], I figure that 5 kB of encrypted text is
far too little meat for even the improved attack to be of any use, so even the
older blowfish would still be a hard nut to crack.

> Not to mention the fact that –as far as I've surmised– vim decided to create
> its own implementation of blowfish instead of using one that has already had
> time to undergo public scrutiny, such as GPG's implementation.

The algorithm implementation published on Wikipedia shows it to be a
trivial coding exercise. I'm delighted to have that fully integrated in
Vim, so there's nothing outside, that I have to muck with.

> All in all, I just don't see why I should trust using the blowfish algorithm
> to encrypt sensitive information at this stage when there are much better
> alternatives out there which are readily available. And I especially can't
> trust any kind of in-house implementation of it.

For large files, it is theoretically weak, and superseded. But Twofish
covers that.

...
> For more information on vimcrypt's capabilities, all the documentation is in
> doc/vimcrypt.txt (https://github.com/mwnx/vimcrypt/blob/master/doc/vimcrypt.txt).

The long keys look good.

Thank you. You've improved my security, even without moving across ... yet.

Erik

--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.