How to Password Protect Text Files Using Vim on Linux (or macOS)

The vim text editor, a standard tool included on Linux and macOS, can quickly encrypt text files with a password. It’s faster and more convenient than encrypting a text file with a separate utility. Here’s how to set it up.

Make Sure Your System’s Vim Has Encryption Support

Some Linux distributions, including Ubuntu, include a minimal version of vim by default, intended only for basic text editing. For example, Ubuntu calls this package “vim-tiny”. If you try to use encryption in such a minimal version of vim, you’ll see a “Sorry, this command isn’t available in this version” message.

You may need to install the full version of vim to get this feature on your Linux distribution. For example, on Ubuntu, you can get the full version of vim that by running the following command:

sudo apt install vim

The version of vim included by default with macOS does include encryption support, so you don’t need to install anything else on a Mac. Just launch a terminal window from Finder > Applications > Utilities > Terminal and the commands will work the same on macOS as they do on Linux.

How to Encrypt a File With a Password

The basic process is relatively simple if you know how to use vi. If you don’t, you might get hung up on vi’s modal interface. When you open a text file in vim, there are two modes. By default, you’re in a “command mode” where you can use the keys on your keyboard to perform commands. You can also press “i” to enter “Insert mode”, where you can type normally and move the cursor around with the arrow keys, as you would in other text editors. To leave insert mode, press “Esc” and you’ll be back to command mode.

First, launch vim. For example, the following command will launch vim and point it at a file named “example” in the current directory. If that file doesn’t exist, vim will create a file named “example” in the current directory when you save it:

vi example

You can also point vi at another path with a command like the below one. You don’t have to create a file in the current directory.

vi /path/to/file

Edit the file normally. For example, you can press “i” to enter insert mode and then type text normally. While editing a file, press Esc to ensure you’re in command mode and not insert mode. Type :X and press Enter.

You’ll be prompted to enter a password, which the text file will be encrypted with. Type the password you want to use, press Enter, and type it again to confirm. You’ll need to enter this password any time you want to open the file in the future.

Vim will warn that you’re using a weak encryption method by default. We’ll show you how to use a more secure encryption method later.

A password will be associated with the current text file in Vim, but you’ll need to save your changes before the password is actually assigned to the file. To do this, press Esc to ensure you’re in command mode, and then type :wq and press Enter to write the file to disk and quit Vim.

The next time you attempt to open the file in Vim—for example, by running “vi example“—Vim will ask you for the password associated with the file.

If you enter the wrong password, the contents of the file will be gibberish.

Warning: Don’t save the file if you open it and see gibberish. This will save the corrupted data back to the file and overwrite your encrypted data. Just run :q to quit Vim without saving the file to disk.

There’s one other shortcut you can use here. Rather than creating or opening a file with “vim /path/to/file“, you can run the following command to have vim create or open a file and make it immediately prompt you to encrypt the file with a password:

vi -x /path/to/file

Note that you need to use a lower-case x here, while you need to use an upper-case X when running the associated encryption command from inside Vim.

How to Enable Stronger Encryption in Vim

By default, Vim uses very bad encryption for these files. The default “zip” or “pkzip’ encryption method is backwards compatible with versions 7.2 and below of vim. Unfortunately, it can be cracked very, very easily—even on hardware from the 90’s. As the official documentation puts it: “The algorithm used for ‘cryptmethod’ “zip” is breakable. A 4 character key in about one hour, a 6 character key in one day (on a Pentium 133 PC).”

You should not use pkzip encryption for your text documents if you want any security at all. However, Vim provides better encryption methods. Version 7.3 of Vim released in 2010 added a “blowfish” encryption method, which is better. Version 7.4.399 released in 2014 included a new Blowfish encryption method that fixes security problems in the original “blowfish” encryption method, and dubs it “blowfish2”.

The only problem is that files you create with stronger encryption methods require these newer versions of Vim. So, if you want to use “blowfish2” encryption, you’ll only be able to open that file with Vim versions 7.4.399 and above. As long as you’re fine with that, you should use the strongest encryption method possible.

To check which encryption method a file is using, open the file in vim, press the Esc key to ensure you’re in command mode, type the following command, and press Enter.

:setlocal cm?

The “cm” here stands for “cryptmethod”.

You’ll see the encryption method used for the current file displayed at the bottom of the vim screen.

To choose an encryption method, run one of the following commands. The “blowfish2” encryption is best for security.

:setlocal cm=blowfish2

:setlocal cm=blowfish

:setlocal cm=zip

Once you’ve selected your encryption algorithm, use the :w command to write the file to disk or the :wq command to write the file to disk and quit.

The next time you re-open the file in Vim, it won’t complain about a weak encryption algorithm. You’ll also see the encryption algorithm you selected at the bottom of the vim screen when you open the file.

How to Change or Remove a Password

To remove a password from a file, open that file in Vim and run the :X command. You’ll be prompted to provide a new encryption key. Enter the new password you want to use here. To remove the password completely, leave the password field blank and just press Enter twice.

Save the file and quit afterwards with :wq . The file will be decrypted, so you won’t be prompted to enter a password when you open the file in the future.

Be sure to remember whatever password you set or you won’t be able to access the contents of the file in the future.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.