Simple File Encryption

Encrypting an existing file

Use openssl. It's installed by default on most macs and linux boxes. To encrypt a file use the following command:

$ openssl enc -aes-256-cbc -e -in foo.dat > foo.aes

If openssl is installed on your machine, you can work out what the options mean with man 1 enc. (

man
openssl

is useless). In short, the -aes-256-cbc flag specifies 256 bit AES encryption, which as of 2008 is believed to be essentially unbreakable (its approved by the US government for use with top secret data). The -e flag specifies encryption, to decrypt the file change it to -d (for decryption)

$ openssl enc -aes-256-cbc -d -in foo.aes

Deleting plaintext files

On macs (or other BSD machines), use the -P flag to rm

$  rm -P foo.dat

The -P flag tells rm to overwrite the file three times before deleting -- which is plenty to keep snoops that just have network access to your machine from reading your plaintext. The collective internet opinion seems to be that it is not sufficient to hide the contents from a forensics investigator with physical access to your hard drive, but if you're looking for that kind of security you should be reading a different page!

rm -P is not available on most linux boxes, shred works just as well. And shred overwrites 25 times, you know, so that you can keep things away from foreign intelligence services.

If you actually edit you plaintext file, be sure to also destroy any backups or cache files stored by your editor.

Integrating OpenSSL and vi

You can configure vi to work directly with openSSL. The advantage is that the plaintext is never written to the hard drive, so you don't have to worry about cleaning it up. Here are the directions to configure vim to use openssl. After you have openssl.vim installed, all you have to do is open a file with an .aes extension and vim will automatically decrypt the file on open, and encrypt it before writing. openssl.vim also takes care of disabling swap files, so you won't have to worry about those either. The file that gets written by vim is just a normal openssl file, so you can check that the encryption is working as expected by decrypting it as you would any other openssl encrypted file.

The encryption built into vi

vi has built in encryption, but in every version I'm aware of the vi encryption is notoriously insecure. Still, it can be used in "keep honest people honest" mode when you're in a situation where you can't use or don't want to bother with openssl The command is:

$  vim -nx foo.dat

The -n flag suppress the creation of unencrypted swap files, and the -x flag tells vim to use encryption. You'll be asked for a password when you start editing. If you want to change the encryption password of an already encrypted file use ':X' (that's a capital X). Entering nothing will remove the encryption. Note that vim encryption is not compatible with classic unix vi encryption, so you can only read the files you create this way with compatible versions of vi. vi seems to almost always be an alias for vim these days so this is rarely a problem, but it's something to keep in mind if you use multiple machines. You can identify files that have been encrypted with vim because they will start with VimCrypt and then a bunch of nonsense.